Advertisement
opexxx

9995a1c9ecf2a84bb9da752dfc43cbe8_sys

Mar 29th, 2017
499
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 242.41 KB | None | 0 0
  1. Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process ID Parent ID File Size
  2. Analysis
  3. Malware
  4.  
  5.  
  6. Application
  7.  
  8.  
  9. 3 Repeated items skipped
  10. Config Update
  11.  
  12.  
  13. Uac
  14. Service
  15.  
  16. Windows Image Acquisition (WIA)
  17.  
  18. Uac
  19. Service
  20.  
  21. Multimedia Class Scheduler
  22.  
  23. Process
  24. Started
  25.  
  26. C:\Users\Administrator\AppData\Local\Temp\factura.exe
  27. Parentname: C:\Windows\explorer.exe
  28. Command Line: "C:\Users\ADMINI~1\AppData\Local\Temp\factura.exe"
  29. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
  30. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
  31. 604 1676 1206863
  32. File
  33. Failed
  34.  
  35. C:\Windows\System32\WOW64LOG.DLL
  36. 604
  37. Mutex
  38.  
  39. \Sessions\1\BaseNamedObjects\DBWinMutex
  40. 604
  41. Regkey
  42. Queryvalue
  43.  
  44. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
  45. 604
  46. File
  47. Failed
  48.  
  49. C:\Users\ADMINI~1\AppData\Local\Temp\KYEFJIANLV
  50. 604
  51. File
  52. Failed
  53.  
  54. C:\Users\ADMINI~1\AppData\Local\Temp\kyEFJiaNlv
  55. 604
  56. File
  57. Failed
  58.  
  59. C:\Windows\SysWOW64\KYEFJIANLV
  60. 604
  61. File
  62. Failed
  63.  
  64. C:\Windows\system\KYEFJIANLV
  65. 604
  66. File
  67. Failed
  68.  
  69. C:\Windows\KYEFJIANLV
  70. 604
  71. File
  72. Failed
  73.  
  74. C:\Windows\SysWOW64\KYEFJIANLV
  75. 604
  76. File
  77. Failed
  78.  
  79. C:\Windows\KYEFJIANLV
  80. 604
  81. File
  82. Failed
  83.  
  84. C:\Windows\SysWOW64\wbem\KYEFJIANLV
  85. 604
  86. File
  87. Failed
  88.  
  89. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\KYEFJIANLV
  90. 604
  91. File
  92. Failed
  93.  
  94. C:\Program Files (x86)\Skype\Phone\KYEFJIANLV
  95. 604
  96. File
  97. Failed
  98.  
  99. C:\Program Files (x86)\QuickTime\QTSystem\KYEFJIANLV
  100. 604
  101. File
  102. Failed
  103.  
  104. C:\Program Files (x86)\Debugging Tools for Windows (x86)\KYEFJIANLV
  105. 604
  106. File
  107. Failed
  108.  
  109. C:\Program Files\Debugging Tools for Windows (x64)\KYEFJIANLV
  110. 604
  111. API Call
  112.  
  113. API Name: GetDesktopWindow Address: 0x004010e0
  114. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: user32.dll
  115. 604
  116. File
  117. Failed
  118.  
  119. C:\Users\ADMINI~1\AppData\Local\Temp\RXVWYJLHVY
  120. 604
  121. File
  122. Failed
  123.  
  124. C:\Users\ADMINI~1\AppData\Local\Temp\rxVwYjlhVy
  125. 604
  126. File
  127. Failed
  128.  
  129. C:\Windows\SysWOW64\RXVWYJLHVY
  130. 604
  131. File
  132. Failed
  133.  
  134. C:\Windows\system\RXVWYJLHVY
  135. 604
  136. File
  137. Failed
  138.  
  139. C:\Windows\RXVWYJLHVY
  140. 604
  141. File
  142. Failed
  143.  
  144. C:\Windows\SysWOW64\RXVWYJLHVY
  145. 604
  146. File
  147. Failed
  148.  
  149. C:\Windows\RXVWYJLHVY
  150. 604
  151. File
  152. Failed
  153.  
  154. C:\Windows\SysWOW64\wbem\RXVWYJLHVY
  155. 604
  156. File
  157. Failed
  158.  
  159. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\RXVWYJLHVY
  160. 604
  161. File
  162. Failed
  163.  
  164. C:\Program Files (x86)\Skype\Phone\RXVWYJLHVY
  165. 604
  166. File
  167. Failed
  168.  
  169. C:\Program Files (x86)\QuickTime\QTSystem\RXVWYJLHVY
  170. 604
  171. File
  172. Failed
  173.  
  174. C:\Program Files (x86)\Debugging Tools for Windows (x86)\RXVWYJLHVY
  175. 604
  176. File
  177. Failed
  178.  
  179. C:\Program Files\Debugging Tools for Windows (x64)\RXVWYJLHVY
  180. 604
  181. API Call
  182.  
  183. API Name: GetSystemDirectoryW Address: 0x75eef96e
  184. Params: [0x75f56420, 260]
  185. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  186. 604
  187. File
  188. Failed
  189.  
  190. C:\Users\ADMINI~1\AppData\Local\Temp\NETAPI32.DLL
  191. 604
  192. File
  193. Failed
  194.  
  195. C:\Users\ADMINI~1\AppData\Local\Temp\NETUTILS.DLL
  196. 604
  197. File
  198. Failed
  199.  
  200. C:\Users\ADMINI~1\AppData\Local\Temp\SRVCLI.DLL
  201. 604
  202. File
  203. Failed
  204.  
  205. C:\Users\ADMINI~1\AppData\Local\Temp\WKSCLI.DLL
  206. 604
  207. File
  208. Failed
  209.  
  210. C:\Users\ADMINI~1\AppData\Local\Temp\SCHEDCLI.DLL
  211. 604
  212. File
  213. Failed
  214.  
  215. C:\Users\ADMINI~1\AppData\Local\Temp\PROFAPI.DLL
  216. 604
  217. API Call
  218.  
  219. API Name: GetComputerNameW Address: 0x00413a3c
  220. Params: [0x18fb14, 0x18fb54]
  221. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  222. 604
  223. API Call
  224.  
  225. API Name: GetSystemDirectoryW Address: 0x00413bac
  226. Params: [0x18f94c, 260]
  227. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  228. 604
  229. Regkey
  230. Queryvalue
  231.  
  232. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
  233. 604
  234. Regkey
  235. Added
  236.  
  237. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\
  238. 604
  239. Regkey
  240. Added
  241.  
  242. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32
  243. 604
  244. Regkey
  245. Added
  246.  
  247. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration
  248. 604
  249. Regkey
  250. Setval
  251.  
  252. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xi" = 7A2F0ADB1B90B147DABB
  253. 604
  254. File
  255. Failed
  256.  
  257. C:\ProgramData\SYSTEM32\XVERSION
  258. 604
  259. File
  260. Failed
  261.  
  262. C:\Users\Administrator\AppData\Roaming\SYSTEM32\XVERSION
  263. 604
  264. File
  265. Failed
  266.  
  267. C:\ProgramData\WINDOWS
  268. 604
  269. Folder
  270. Created
  271.  
  272. C:\ProgramData\Windows
  273. 604
  274. Folder
  275. Hide
  276.  
  277. C:\ProgramData\Windows
  278. 604
  279. File
  280. Failed
  281.  
  282. C:\ProgramData\Windows\CSRSS.EXE
  283. 604
  284. File
  285. Created
  286.  
  287. C:\ProgramData\Windows\csrss.exe
  288. 604
  289. Malicious Alert
  290. Malicious Directory
  291.  
  292. Message: Executable file created in suspicious location
  293.  
  294. Malicious Alert
  295. Misc Anom
  296.  
  297. Message: Generic Trojan Behavior
  298.  
  299. API Call
  300.  
  301. API Name: SetProcessDEPPolicy Address: 0x00470bd9
  302. Params: [1]
  303. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  304. 604
  305. Folder
  306. Created
  307.  
  308. C:\Users\Administrator\AppData\Local\Temp\6893A5D897
  309. 604
  310. File
  311. Close
  312.  
  313. C:\ProgramData\Windows\csrss.exe
  314. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
  315. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
  316. 604 1206863
  317. API Call
  318.  
  319. API Name: Sleep Address: 0x0040de21
  320. Params: [100]
  321. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  322. 604
  323. Regkey
  324. Setval
  325.  
  326. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
  327. on\Run\"Client Server Runtime Subsystem" = "C:\ProgramData\Windows\csrss.exe"
  328. 604
  329. Regkey
  330. Setval
  331.  
  332. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xVersion" = 4.0.0.1
  333. 604
  334. API Call
  335.  
  336. API Name: GetComputerNameExW Address: 0x776ace4b
  337. Params: [0, 0x77740a6c, 0x777401c0]
  338. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  339. 604
  340. API Call
  341.  
  342. API Name: Sleep Address: 0x0040de21
  343. Params: [100]
  344. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  345. 604
  346. API Call
  347.  
  348. API Name: Sleep Address: 0x0040de21
  349. Params: [100]
  350. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  351. 604
  352. 3 Repeated items skipped
  353. API Call
  354.  
  355. API Name: CryptAcquireContextW Address: 0x004247f1
  356. Params: [NULL, NULL, 1, 4026531840]
  357. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
  358. 604
  359. File
  360. Failed
  361.  
  362. C:\Users\ADMINI~1\AppData\Local\Temp\CRYPTSP.DLL
  363. 604
  364. API Call
  365.  
  366. API Name: Sleep Address: 0x0040de21
  367. Params: [100]
  368. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  369. 604
  370. API Call
  371.  
  372. API Name: GetDesktopWindow Address: 0x0041e281
  373. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: user32.dll
  374. 604
  375. API Call
  376.  
  377. API Name: Sleep Address: 0x0040de21
  378. Params: [100]
  379. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  380. 604
  381. API Call
  382.  
  383. API Name: Sleep Address: 0x0040de21
  384. Params: [100]
  385. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  386. 604
  387. API Call
  388.  
  389. API Name: Process32First Address: 0x00424bf3
  390. Params: [0x158, 0x265f7a0]
  391. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  392. 604
  393. Malicious Alert
  394. Generic Anomalous Activity
  395.  
  396. Message: Enumerating running processes
  397.  
  398. API Call
  399.  
  400. API Name: CryptAcquireContextA Address: 0x0050087e
  401. Params: [NULL, NULL, 1, 4026531840]
  402. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
  403. 604
  404. API Call
  405.  
  406. API Name: GetDesktopWindow Address: 0x0041e281
  407. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: user32.dll
  408. 604
  409. API Call
  410.  
  411. API Name: Sleep Address: 0x0040de21
  412. Params: [100]
  413. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  414. 604
  415. API Call
  416.  
  417. API Name: Sleep Address: 0x0040de21
  418. Params: [100]
  419. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  420. 604
  421. API Call
  422.  
  423. API Name: Process32First Address: 0x00424bf3
  424. Params: [0x14c, 0x265f718]
  425. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  426. 604
  427. File
  428. Failed
  429.  
  430. C:\Windows\SysWOW64\RPCSS.DLL
  431. 604
  432. 2 Repeated items skipped
  433. API Call
  434.  
  435. API Name: GetVolumeNameForVolumeMountPointW Address: 0x76a80aaa
  436. Params: [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  437. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  438. 604
  439. API Call
  440.  
  441. API Name: GetTokenInformation Address: 0x76a80172
  442. Params: [0x18c, 0x19]
  443. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
  444. 604
  445. API Call
  446.  
  447. API Name: Sleep Address: 0x0040de21
  448. Params: [100]
  449. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  450. 604
  451. File
  452. Failed
  453.  
  454. C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches
  455. 604
  456. File
  457. Failed
  458.  
  459. C:\Users\ADMINI~1\AppData\Local\Temp\NTMARTA.DLL
  460. 604
  461. API Call
  462.  
  463. API Name: GetSystemDirectoryW Address: 0x75709cce
  464. Params: [0x2d0f6cc, 260]
  465. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  466. 604
  467. API Call
  468.  
  469. API Name: GetVolumeNameForVolumeMountPointW Address: 0x76a80e20
  470. Params: [NULL, \\?\Volume{a4dcb965-c2b8-11e2-8b83-806e6f6e6963}\]
  471. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  472. 604
  473. API Call
  474.  
  475. API Name: GetVolumeNameForVolumeMountPointW Address: 0x76a80e20
  476. Params: [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  477. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  478. 604
  479. API Call
  480.  
  481. API Name: GetTokenInformation Address: 0x76a80172
  482. Params: [0x1a8, 0x19]
  483. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
  484. 604
  485. API Call
  486.  
  487. API Name: GetTokenInformation Address: 0x76a80172
  488. Params: [0x1a8, 0x19]
  489. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
  490. 604
  491. API Call
  492.  
  493. API Name: Sleep Address: 0x0040de21
  494. Params: [100]
  495. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  496. 604
  497. File
  498. Failed
  499.  
  500. C:\Users\Administrator\AppData\Roaming\TOR
  501. 604
  502. 4 Repeated items skipped
  503. API Call
  504.  
  505. API Name: Sleep Address: 0x0040de21
  506. Params: [100]
  507. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  508. 604
  509. Network
  510. Listen
  511.  
  512. Protocol Type: tcp Listen Port: 49199 IP Address: 127.0.0.1:49199
  513. Imagepath: c:\Users\Administrator\AppData\Local\Temp\factura.exe
  514. 604
  515. Malicious Alert
  516. Network Activity
  517.  
  518. Message: TCP listen port opened
  519.  
  520. Network
  521. Connect
  522.  
  523. Protocol Type: tcp Destination Port: 49199 IP Address: 127.0.0.1
  524. Imagepath: c:\Users\Administrator\AppData\Local\Temp\factura.exe
  525. 604
  526. Malicious Alert
  527. Network Activity
  528.  
  529. Message: Network outbound communication attempted
  530.  
  531. Network
  532. Listen
  533.  
  534. Protocol Type: tcp Listen Port: 31721 IP Address: 127.0.0.1:31721
  535. Imagepath: c:\Users\Administrator\AppData\Local\Temp\factura.exe
  536. 604
  537. File
  538. Created
  539.  
  540. C:\Users\Administrator\AppData\Local\Temp\6893A5D897\lock
  541. 604
  542. File
  543. Created
  544.  
  545. C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state.tmp
  546. 604
  547. File
  548. Close
  549.  
  550. C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state.tmp
  551. MD5: 34c7720364200078cf8cd1aefda03843
  552. SHA1: 0cf818b11aa01a437fa5940fa265f60c6745d363
  553. 604 199
  554. File
  555. Rename
  556.  
  557. Old Name: C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state.tmp
  558. New Name: C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state
  559. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  560. MD5: 34c7720364200078cf8cd1aefda03843
  561. SHA1: 0cf818b11aa01a437fa5940fa265f60c6745d363
  562. 604 199
  563. File
  564. Failed
  565.  
  566. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\ROUTER-STABILITY
  567. 604
  568. File
  569. Failed
  570.  
  571. C:\Users\Administrator\AppData\Roaming\TOR\GEOIP
  572. 604
  573. File
  574. Failed
  575.  
  576. C:\Users\Administrator\AppData\Roaming\TOR\GEOIP6
  577. 604
  578. API Call
  579.  
  580. API Name: Sleep Address: 0x0040de21
  581. Params: [100]
  582. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  583. 604
  584. File
  585. Failed
  586.  
  587. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-CERTS
  588. 604
  589. File
  590. Failed
  591.  
  592. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-CONSENSUS
  593. 604
  594. File
  595. Failed
  596.  
  597. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\UNVERIFIED-CONSENSUS
  598. 604
  599. File
  600. Failed
  601.  
  602. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-MICRODESC-CONSENSUS
  603. 604
  604. API Call
  605.  
  606. API Name: Sleep Address: 0x0040de21
  607. Params: [100]
  608. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  609. 604
  610. File
  611. Failed
  612.  
  613. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\UNVERIFIED-MICRODESC-CONSENSUS
  614. 604
  615. File
  616. Failed
  617.  
  618. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-MICRODESCS
  619. 604
  620. File
  621. Failed
  622.  
  623. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-MICRODESCS.NEW
  624. 604
  625. File
  626. Failed
  627.  
  628. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-DESCRIPTORS
  629. 604
  630. File
  631. Failed
  632.  
  633. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-EXTRAINFO
  634. 604
  635. API Call
  636.  
  637. API Name: Sleep Address: 0x0040de21
  638. Params: [100]
  639. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  640. 604
  641. API Call
  642.  
  643. API Name: Sleep Address: 0x0040de21
  644. Params: [100]
  645. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  646. 604
  647. 3 Repeated items skipped
  648. API Call
  649.  
  650. API Name: Sleep Address: 0x0040de21
  651. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  652. 604
  653. API Call
  654.  
  655. API Name: Sleep Address: 0x0040de21
  656. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  657. 604
  658. 3 Repeated items skipped
  659. API Call
  660.  
  661. API Name: GetSystemDirectoryA Address: 0x004f8683
  662. Params: [0x265f8f4, 260]
  663. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  664. 604
  665. File
  666. Failed
  667.  
  668. C:\Users\ADMINI~1\AppData\Local\Temp\WINNSI.DLL
  669. 604
  670. File
  671. Failed
  672.  
  673. C:\Users\ADMINI~1\AppData\Local\Temp\DHCPCSVC6.DLL
  674. 604
  675. File
  676. Failed
  677.  
  678. C:\Users\ADMINI~1\AppData\Local\Temp\DHCPCSVC.DLL
  679. 604
  680. API Call
  681.  
  682. API Name: GetSystemDirectoryA Address: 0x004f8683
  683. Params: [0x265f8f4, 260]
  684. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  685. 604
  686. API Call
  687.  
  688. API Name: Sleep Address: 0x0040de21
  689. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  690. 604
  691. API Call
  692.  
  693. API Name: Sleep Address: 0x0040de21
  694. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  695. 604
  696. 4 Repeated items skipped
  697. Uac
  698. Service
  699.  
  700. Multimedia Class Scheduler
  701.  
  702. ProcessTelemetryReport
  703.  
  704. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  705. 604
  706. API Call
  707.  
  708. API Name: Sleep Address: 0x0040de21
  709. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  710. 604
  711. ProcessTelemetryReport
  712.  
  713. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  714. 604
  715. API Call
  716.  
  717. API Name: Sleep Address: 0x0040de21
  718. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  719. 604
  720. Uac
  721. Service
  722.  
  723. Multimedia Class Scheduler
  724.  
  725. ProcessTelemetryReport
  726.  
  727. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  728. 604
  729. API Call
  730.  
  731. API Name: Sleep Address: 0x0040de21
  732. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  733. 604
  734. 3 Repeated items skipped
  735. ProcessTelemetryReport
  736.  
  737. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  738. 604
  739. API Call
  740.  
  741. API Name: Sleep Address: 0x0040de21
  742. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  743. 604
  744. API Call
  745.  
  746. API Name: Sleep Address: 0x0040de21
  747. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  748. 604
  749. 4 Repeated items skipped
  750. Malicious Alert
  751. High Repeated Sleep Calls
  752.  
  753. Message: High repeated sleep calls
  754.  
  755. API Call
  756.  
  757. API Name: Sleep Address: 0x0040de21
  758. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  759. 604
  760. API Call
  761.  
  762. API Name: Sleep Address: 0x0040de21
  763. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  764. 604
  765. 4 Repeated items skipped
  766. Regkey
  767. Setval
  768.  
  769. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xmode" = 798
  770. 604
  771. Regkey
  772. Setval
  773.  
  774. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xpk" = -----BEGIN PUBLIC KEY-----.MII
  775. BojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvfD/CUBDvPpIFqwP8nlu.35tyUUJpY1lTKUfNN7v8OvxnMUe6ymFY9z/
  776. ZuqtLM8SGx2ZcR5Tr+QRQ319nwTSc.fabkNUQQLTwluHoVVp2xVQ2s2ygrdL0xKJOO/RIhh0wLg9tjpakvIfCXkRCaze14.Vc
  777. ZEWlfqxPn6a27qUoaUYqDxt5wJtF7hFjPTS8N6XnpiXzkxCOE9rRS1PkNH33LI.CHD4UfBYvouMUSG8tqHB9krzNoTyPLZefI
  778. +tNZSjPOn87HldAk8WkOkVT8HudVq6.MopiDGq34d3R2tDr4uhFs5+oqeU4/LkCC2YQalLPfxRkFXti0cKi76O2PJKbCdtb.O
  779. QwD6fQf0O7hGrMXtd0Th7nXGqkaXbeESCMmSY88XkUoE4CB+TGoFuBpKLtAH8FZ.naZjGd2RzOpt0Ujk0Huk2qaJzWVMh0
  780. 604
  781. Regkey
  782. Setval
  783.  
  784. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xstate" = 3
  785. 604
  786. Regkey
  787. Setval
  788.  
  789. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
  790. 604
  791. API Call
  792.  
  793. API Name: GetSystemDirectoryW Address: 0x00412f62
  794. Params: [0x33ef2d8, 1024]
  795. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  796. 604
  797. API Call
  798.  
  799. API Name: GetSystemDirectoryW Address: 0x00413079
  800. Params: [0x18f1c8, 1024]
  801. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  802. 604
  803. File
  804. Created
  805.  
  806. C:\README1.txt
  807. 604
  808. File
  809. Close
  810.  
  811. C:\README1.txt
  812. MD5: c1c8aa778ab31b146974da08d9259ecd
  813. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  814. 604 2136
  815. File
  816. Created
  817.  
  818. C:\README2.txt
  819. 604
  820. File
  821. Close
  822.  
  823. C:\README2.txt
  824. MD5: c1c8aa778ab31b146974da08d9259ecd
  825. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  826. 604 2136
  827. File
  828. Created
  829.  
  830. C:\README3.txt
  831. 604
  832. File
  833. Close
  834.  
  835. C:\README3.txt
  836. MD5: c1c8aa778ab31b146974da08d9259ecd
  837. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  838. 604 2136
  839. File
  840. Created
  841.  
  842. C:\README4.txt
  843. 604
  844. File
  845. Close
  846.  
  847. C:\README4.txt
  848. MD5: c1c8aa778ab31b146974da08d9259ecd
  849. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  850. 604 2136
  851. File
  852. Created
  853.  
  854. C:\README5.txt
  855. 604
  856. File
  857. Close
  858.  
  859. C:\README5.txt
  860. MD5: c1c8aa778ab31b146974da08d9259ecd
  861. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  862. 604 2136
  863. File
  864. Created
  865.  
  866. C:\README6.txt
  867. 604
  868. File
  869. Close
  870.  
  871. C:\README6.txt
  872. MD5: c1c8aa778ab31b146974da08d9259ecd
  873. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  874. 604 2136
  875. File
  876. Created
  877.  
  878. C:\README7.txt
  879. 604
  880. File
  881. Close
  882.  
  883. C:\README7.txt
  884. MD5: c1c8aa778ab31b146974da08d9259ecd
  885. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  886. 604 2136
  887. File
  888. Created
  889.  
  890. C:\README8.txt
  891. 604
  892. File
  893. Close
  894.  
  895. C:\README8.txt
  896. MD5: c1c8aa778ab31b146974da08d9259ecd
  897. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  898. 604 2136
  899. File
  900. Created
  901.  
  902. C:\README9.txt
  903. 604
  904. API Call
  905.  
  906. API Name: GetSystemDirectoryW Address: 0x00413079
  907. Params: [0x18ef08, 1024]
  908. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  909. 604
  910. File
  911. Close
  912.  
  913. C:\README9.txt
  914. MD5: c1c8aa778ab31b146974da08d9259ecd
  915. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  916. 604 2136
  917. File
  918. Created
  919.  
  920. C:\README10.txt
  921. 604
  922. File
  923. Close
  924.  
  925. C:\README10.txt
  926. MD5: c1c8aa778ab31b146974da08d9259ecd
  927. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
  928. 604 2136
  929. Regkey
  930. Setval
  931.  
  932. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xstate" = 4
  933. 604
  934. API Call
  935.  
  936. API Name: GetSystemDirectoryW Address: 0x00413079
  937. Params: [0x352f540, 1024]
  938. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  939. 604
  940. File
  941. Find
  942.  
  943. C:\*
  944. 604
  945. File
  946. Find
  947.  
  948. C:\Users\*
  949. 604
  950. File
  951. Open
  952.  
  953. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
  954. 604 26246026
  955. Process
  956. Started
  957.  
  958. C:\Windows\System32\vssadmin.exe
  959. Parentname: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  960. Command Line: C:\Windows\system32\vssadmin.exe List Shadows
  961. MD5: e23dd973e1444684eb36365deff1fc74
  962. SHA1: 09fafeb1b8404124b33c44440be7e3fdb6105f8a
  963. 1048 604 167424
  964. Regkey
  965. Setval
  966.  
  967. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
  968. 604
  969. 91 Repeated items skipped
  970. API Call
  971.  
  972. API Name: Sleep Address: 0x0040e6c8
  973. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  974. 604
  975. Mutex
  976.  
  977. \Sessions\1\BaseNamedObjects\DBWinMutex
  978. 1048
  979. Regkey
  980. Queryvalue
  981.  
  982. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
  983. 1048
  984. API Call
  985.  
  986. API Name: Sleep Address: 0x0040e6c8
  987. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  988. 604
  989. API Call
  990.  
  991. API Name: Sleep Address: 0x0040e6c8
  992. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  993. 604
  994. API Call
  995.  
  996. API Name: Sleep Address: 0x0040e6c8
  997. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  998. 604
  999. Regkey
  1000. Setval
  1001.  
  1002. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
  1003. 604
  1004. 4 Repeated items skipped
  1005. Uac
  1006. Service
  1007.  
  1008. Volume Shadow Copy
  1009.  
  1010. Uac
  1011. Service
  1012.  
  1013. Microsoft Software Shadow Copy Provider
  1014.  
  1015. Process
  1016. Terminated
  1017.  
  1018. C:\Windows\System32\vssadmin.exe
  1019. Parentname: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1020. Command Line: N/A
  1021. 1048 604
  1022. API Call
  1023.  
  1024. API Name: GetSystemDirectoryW Address: 0x00412f62
  1025. Params: [0x33ef2d8, 1024]
  1026. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  1027. 604
  1028. Process
  1029. Started
  1030.  
  1031. C:\Windows\System32\vssadmin.exe
  1032. Parentname: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1033. Command Line: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  1034. MD5: e23dd973e1444684eb36365deff1fc74
  1035. SHA1: 09fafeb1b8404124b33c44440be7e3fdb6105f8a
  1036. 1808 604 167424
  1037. Malicious Alert
  1038. Disk Tampering Activity
  1039.  
  1040. Message: Disk Tampering
  1041.  
  1042. Malicious Alert
  1043. Misc Anom
  1044.  
  1045. Message: Disk Tampering Detected
  1046.  
  1047. Mutex
  1048.  
  1049. \Sessions\1\BaseNamedObjects\DBWinMutex
  1050. 1808
  1051. Regkey
  1052. Queryvalue
  1053.  
  1054. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
  1055. 1808
  1056. Regkey
  1057. Setval
  1058.  
  1059. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
  1060. 604
  1061. ProcessTelemetryReport
  1062.  
  1063. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1064. 604
  1065. API Call
  1066.  
  1067. API Name: Sleep Address: 0x0040e6c8
  1068. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  1069. 604
  1070. Regkey
  1071. Setval
  1072.  
  1073. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
  1074. 604
  1075. 13 Repeated items skipped
  1076. ProcessTelemetryReport
  1077.  
  1078. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1079. 604
  1080. File
  1081. Close
  1082.  
  1083. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
  1084. MD5: d783aa11bdc83430f9d30ef39c37eb3e
  1085. SHA1: b9aca26b0ffb2eb52362c8f82f198d894905a6ef
  1086. 604 26246410
  1087. File
  1088. Open
  1089.  
  1090. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
  1091. MD5: d783aa11bdc83430f9d30ef39c37eb3e
  1092. SHA1: b9aca26b0ffb2eb52362c8f82f198d894905a6ef
  1093. 604 26246410
  1094. High Cpu
  1095.  
  1096. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1097. 604
  1098. File
  1099. Close
  1100.  
  1101. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
  1102. MD5: 0b366962504e9d26ede7554a1e543f1c
  1103. SHA1: 142c7498960f43bf5abea19bd4511ba2008df44e
  1104. 604 26246416
  1105. File
  1106. Rename
  1107.  
  1108. Old Name: C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
  1109. New Name: C:\Users\Public\Videos\Sample Videos\wDz6On8qmqltEd3LYIQIv4Rp+qEXQxh1KJpZlElW-5c=.7A2F0ADB1B90B147DA
  1110. BB.no_more_ransom
  1111. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1112. MD5: 0b366962504e9d26ede7554a1e543f1c
  1113. SHA1: 142c7498960f43bf5abea19bd4511ba2008df44e
  1114. 604 26246416
  1115. File
  1116. Failed
  1117.  
  1118. C:\ProgramData\SYSTEM32
  1119. 604
  1120. Folder
  1121. Created
  1122.  
  1123. C:\ProgramData\System32
  1124. 604
  1125. Folder
  1126. Hide
  1127.  
  1128. C:\ProgramData\System32
  1129. 604
  1130. File
  1131. Failed
  1132.  
  1133. C:\ProgramData\System32\XFS
  1134. 604
  1135. File
  1136. Created
  1137.  
  1138. C:\ProgramData\System32\xfs
  1139. 604
  1140. File
  1141. Close
  1142.  
  1143. C:\ProgramData\System32\xfs
  1144. MD5: b40e775927a2f1c38d960921b60d7a8d
  1145. SHA1: 46091bdfdb005fcaabf9489768fa9954907fe124
  1146. 604 134
  1147. File
  1148. Hide
  1149.  
  1150. C:\ProgramData\System32\xfs
  1151. MD5: b40e775927a2f1c38d960921b60d7a8d
  1152. SHA1: 46091bdfdb005fcaabf9489768fa9954907fe124
  1153. 604 134
  1154. File
  1155. Open
  1156.  
  1157. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  1158. 604 620888
  1159. File
  1160. Close
  1161.  
  1162. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  1163. MD5: 886b76b7e667b07eb384aef6b287dd8f
  1164. SHA1: fa4710759b26074bc1071cb460845e03e4fbf961
  1165. 604 621272
  1166. File
  1167. Open
  1168.  
  1169. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  1170. MD5: 886b76b7e667b07eb384aef6b287dd8f
  1171. SHA1: fa4710759b26074bc1071cb460845e03e4fbf961
  1172. 604 621272
  1173. File
  1174. Close
  1175.  
  1176. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  1177. MD5: eb5c740ca5e6b82f98731606438d2949
  1178. SHA1: 1b0c15cbe0738dccfde2694b0609ce3f0367a551
  1179. 604 621280
  1180. File
  1181. Rename
  1182.  
  1183. Old Name: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  1184. New Name: C:\Users\Public\Pictures\Sample Pictures\PF+Cxm3VmNNzOXBRmkDH+Hg9aO+zrZWwFtNUkj2M0go=.7A2F0ADB1B90B1
  1185. 47DABB.no_more_ransom
  1186. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1187. MD5: eb5c740ca5e6b82f98731606438d2949
  1188. SHA1: 1b0c15cbe0738dccfde2694b0609ce3f0367a551
  1189. 604 621280
  1190. File
  1191. Open
  1192.  
  1193. C:\ProgramData\System32\xfs
  1194. MD5: b40e775927a2f1c38d960921b60d7a8d
  1195. SHA1: 46091bdfdb005fcaabf9489768fa9954907fe124
  1196. 604 134
  1197. File
  1198. Close
  1199.  
  1200. C:\ProgramData\System32\xfs
  1201. MD5: 28da47be3cb23f6c66160ea208cfd372
  1202. SHA1: a8525efdf940b2d2202cd8f78b044c72053c2645
  1203. 604 274
  1204. File
  1205. Hide
  1206.  
  1207. C:\ProgramData\System32\xfs
  1208. MD5: 28da47be3cb23f6c66160ea208cfd372
  1209. SHA1: a8525efdf940b2d2202cd8f78b044c72053c2645
  1210. 604 274
  1211. File
  1212. Open
  1213.  
  1214. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  1215. 604 777835
  1216. File
  1217. Close
  1218.  
  1219. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  1220. MD5: 433508676ab1e8516196371912f0c31d
  1221. SHA1: f99cd9c7206459d0ad5e8c2d31266c004ddce650
  1222. 604 778219
  1223. File
  1224. Open
  1225.  
  1226. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  1227. MD5: 433508676ab1e8516196371912f0c31d
  1228. SHA1: f99cd9c7206459d0ad5e8c2d31266c004ddce650
  1229. 604 778219
  1230. File
  1231. Close
  1232.  
  1233. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  1234. MD5: a12ed00d8d6a54423cef5e58a703ed44
  1235. SHA1: 316d8eb4b55845f8df72d76251e2b979a1930048
  1236. 604 778224
  1237. File
  1238. Rename
  1239.  
  1240. Old Name: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  1241. New Name: C:\Users\Public\Pictures\Sample Pictures\L6bCSak2OI8V7u+sAHjsPsx58Q++QKWQvcU4Zscstn4=.7A2F0ADB1B90B1
  1242. 47DABB.no_more_ransom
  1243. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1244. MD5: a12ed00d8d6a54423cef5e58a703ed44
  1245. SHA1: 316d8eb4b55845f8df72d76251e2b979a1930048
  1246. 604 778224
  1247. File
  1248. Open
  1249.  
  1250. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  1251. 604 561276
  1252. File
  1253. Open
  1254.  
  1255. C:\ProgramData\System32\xfs
  1256. MD5: 28da47be3cb23f6c66160ea208cfd372
  1257. SHA1: a8525efdf940b2d2202cd8f78b044c72053c2645
  1258. 604 274
  1259. File
  1260. Close
  1261.  
  1262. C:\ProgramData\System32\xfs
  1263. MD5: cb3ba0321674d2aed9570bc5ef2b9632
  1264. SHA1: 878f39613d12a8ba5f0e2c67e0b5558b225768ab
  1265. 604 418
  1266. File
  1267. Hide
  1268.  
  1269. C:\ProgramData\System32\xfs
  1270. MD5: cb3ba0321674d2aed9570bc5ef2b9632
  1271. SHA1: 878f39613d12a8ba5f0e2c67e0b5558b225768ab
  1272. 604 418
  1273. File
  1274. Close
  1275.  
  1276. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  1277. MD5: c8f6785d95696592ae266486a46297eb
  1278. SHA1: a61306f72a7368c47f3574dad6a098add3ec6712
  1279. 604 561660
  1280. File
  1281. Open
  1282.  
  1283. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  1284. MD5: c8f6785d95696592ae266486a46297eb
  1285. SHA1: a61306f72a7368c47f3574dad6a098add3ec6712
  1286. 604 561660
  1287. File
  1288. Close
  1289.  
  1290. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  1291. MD5: 28df3d0418dece2e132c76b96d01c36a
  1292. SHA1: 4cb0d2d02a5ffaab5f6728ba84c8587ab73a5c6c
  1293. 604 561664
  1294. File
  1295. Rename
  1296.  
  1297. Old Name: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  1298. New Name: C:\Users\Public\Pictures\Sample Pictures\P1XoWVaGq1E9j6v6sSwA4i13OmeNmtZAaHIkklpMjDE=.7A2F0ADB1B90B1
  1299. 47DABB.no_more_ransom
  1300. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1301. MD5: 28df3d0418dece2e132c76b96d01c36a
  1302. SHA1: 4cb0d2d02a5ffaab5f6728ba84c8587ab73a5c6c
  1303. 604 561664
  1304. File
  1305. Open
  1306.  
  1307. C:\ProgramData\System32\xfs
  1308. MD5: cb3ba0321674d2aed9570bc5ef2b9632
  1309. SHA1: 878f39613d12a8ba5f0e2c67e0b5558b225768ab
  1310. 604 418
  1311. File
  1312. Close
  1313.  
  1314. C:\ProgramData\System32\xfs
  1315. MD5: 317508a377eb4904e7952e644d5083dc
  1316. SHA1: d3d817cbb73e349f18b26f6bfcd7c4c6a24f8aa3
  1317. 604 566
  1318. File
  1319. Hide
  1320.  
  1321. C:\ProgramData\System32\xfs
  1322. MD5: 317508a377eb4904e7952e644d5083dc
  1323. SHA1: d3d817cbb73e349f18b26f6bfcd7c4c6a24f8aa3
  1324. 604 566
  1325. File
  1326. Open
  1327.  
  1328. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
  1329. 604 780831
  1330. File
  1331. Close
  1332.  
  1333. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
  1334. MD5: d07c705f4953407438ca30909060c103
  1335. SHA1: af30f25c6dafd4fe1fb5eec131390a2ae82025a2
  1336. 604 781215
  1337. File
  1338. Open
  1339.  
  1340. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
  1341. MD5: d07c705f4953407438ca30909060c103
  1342. SHA1: af30f25c6dafd4fe1fb5eec131390a2ae82025a2
  1343. 604 781215
  1344. File
  1345. Close
  1346.  
  1347. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
  1348. MD5: c9338c52434123f2f54a3c3457408a83
  1349. SHA1: 41f485b26b432898c4f60483fae47a91d6e03522
  1350. 604 781216
  1351. File
  1352. Rename
  1353.  
  1354. Old Name: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
  1355. New Name: C:\Users\Public\Pictures\Sample Pictures\MvqtZijbhCa1ApycV7KdoZ7JrtsU71jZY7OClDl7riA=.7A2F0ADB1B90B1
  1356. 47DABB.no_more_ransom
  1357. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1358. MD5: c9338c52434123f2f54a3c3457408a83
  1359. SHA1: 41f485b26b432898c4f60483fae47a91d6e03522
  1360. 604 781216
  1361. File
  1362. Open
  1363.  
  1364. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  1365. 604 775702
  1366. File
  1367. Open
  1368.  
  1369. C:\ProgramData\System32\xfs
  1370. MD5: 317508a377eb4904e7952e644d5083dc
  1371. SHA1: d3d817cbb73e349f18b26f6bfcd7c4c6a24f8aa3
  1372. 604 566
  1373. File
  1374. Close
  1375.  
  1376. C:\ProgramData\System32\xfs
  1377. MD5: 1fb7bd9abd449ec8bb2b47efba621de6
  1378. SHA1: c2eeaece9396846ea37db7c08f8f0cdff49e11b0
  1379. 604 704
  1380. File
  1381. Hide
  1382.  
  1383. C:\ProgramData\System32\xfs
  1384. MD5: 1fb7bd9abd449ec8bb2b47efba621de6
  1385. SHA1: c2eeaece9396846ea37db7c08f8f0cdff49e11b0
  1386. 604 704
  1387. File
  1388. Close
  1389.  
  1390. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  1391. MD5: f4f3a2cb8e7fd3149570f217df1b57f3
  1392. SHA1: f73cb686a9d10bfb04cdcdf22f5bbd61affee844
  1393. 604 776086
  1394. File
  1395. Open
  1396.  
  1397. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  1398. MD5: f4f3a2cb8e7fd3149570f217df1b57f3
  1399. SHA1: f73cb686a9d10bfb04cdcdf22f5bbd61affee844
  1400. 604 776086
  1401. File
  1402. Close
  1403.  
  1404. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  1405. MD5: 9227c7f3ad19d90117759eb63a39892b
  1406. SHA1: 41b542ff591636ae3049e01a4cf5bb20235e2048
  1407. 604 776096
  1408. File
  1409. Rename
  1410.  
  1411. Old Name: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  1412. New Name: C:\Users\Public\Pictures\Sample Pictures\nWfUYd5BKpzXCqQM483O0dY21f-4V-f5xQolZKlJLUo=.7A2F0ADB1B90B1
  1413. 47DABB.no_more_ransom
  1414. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1415. MD5: 9227c7f3ad19d90117759eb63a39892b
  1416. SHA1: 41b542ff591636ae3049e01a4cf5bb20235e2048
  1417. 604 776096
  1418. File
  1419. Open
  1420.  
  1421. C:\ProgramData\System32\xfs
  1422. MD5: 1fb7bd9abd449ec8bb2b47efba621de6
  1423. SHA1: c2eeaece9396846ea37db7c08f8f0cdff49e11b0
  1424. 604 704
  1425. File
  1426. Close
  1427.  
  1428. C:\ProgramData\System32\xfs
  1429. MD5: bc7d33ef94aa0ab5fcb4ea1e713d2819
  1430. SHA1: 814596c41c2830454d800eb93c8fc0ec3c86600f
  1431. 604 850
  1432. File
  1433. Hide
  1434.  
  1435. C:\ProgramData\System32\xfs
  1436. MD5: bc7d33ef94aa0ab5fcb4ea1e713d2819
  1437. SHA1: 814596c41c2830454d800eb93c8fc0ec3c86600f
  1438. 604 850
  1439. File
  1440. Open
  1441.  
  1442. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  1443. 604 595284
  1444. File
  1445. Close
  1446.  
  1447. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  1448. MD5: 438259ecbb7bd3d922aaed01b156d36e
  1449. SHA1: 77eeab4898cedcd399bd7d696a91fb70f8ad5524
  1450. 604 595668
  1451. File
  1452. Open
  1453.  
  1454. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  1455. MD5: 438259ecbb7bd3d922aaed01b156d36e
  1456. SHA1: 77eeab4898cedcd399bd7d696a91fb70f8ad5524
  1457. 604 595668
  1458. File
  1459. Close
  1460.  
  1461. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  1462. MD5: ccf3b949f31cd3f0e96f9112f09b97df
  1463. SHA1: 99e901d9d10e80dddcac20a9c3e81d55f6ec873a
  1464. 604 595680
  1465. File
  1466. Rename
  1467.  
  1468. Old Name: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  1469. New Name: C:\Users\Public\Pictures\Sample Pictures\PsKe54J-2GeOdO1RDI+dDZsdmBIqXthkOttHJtvKjx4=.7A2F0ADB1B90B1
  1470. 47DABB.no_more_ransom
  1471. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1472. MD5: ccf3b949f31cd3f0e96f9112f09b97df
  1473. SHA1: 99e901d9d10e80dddcac20a9c3e81d55f6ec873a
  1474. 604 595680
  1475. File
  1476. Open
  1477.  
  1478. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
  1479. 604 845941
  1480. File
  1481. Open
  1482.  
  1483. C:\ProgramData\System32\xfs
  1484. MD5: bc7d33ef94aa0ab5fcb4ea1e713d2819
  1485. SHA1: 814596c41c2830454d800eb93c8fc0ec3c86600f
  1486. 604 850
  1487. File
  1488. Close
  1489.  
  1490. C:\ProgramData\System32\xfs
  1491. MD5: 1b872bad3231d1f5b7895c79d95bcf9a
  1492. SHA1: 0b8ea004023d5d1bb02c7b9d842671e674c2b1f5
  1493. 604 998
  1494. File
  1495. Hide
  1496.  
  1497. C:\ProgramData\System32\xfs
  1498. MD5: 1b872bad3231d1f5b7895c79d95bcf9a
  1499. SHA1: 0b8ea004023d5d1bb02c7b9d842671e674c2b1f5
  1500. 604 998
  1501. File
  1502. Close
  1503.  
  1504. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
  1505. MD5: e3934c1d8793e85f1803223fed15729a
  1506. SHA1: 6fbb08dfc191a4a4bfac272568c1c665cf0207bc
  1507. 604 846325
  1508. File
  1509. Open
  1510.  
  1511. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
  1512. MD5: e3934c1d8793e85f1803223fed15729a
  1513. SHA1: 6fbb08dfc191a4a4bfac272568c1c665cf0207bc
  1514. 604 846325
  1515. File
  1516. Close
  1517.  
  1518. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
  1519. MD5: 991dac7cd99303c3beec2c511d5e69bb
  1520. SHA1: 007517900e8ba6b8050cf1573a997e1f3ecf3fa4
  1521. 604 846336
  1522. File
  1523. Rename
  1524.  
  1525. Old Name: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
  1526. New Name: C:\Users\Public\Pictures\Sample Pictures\dmYzOCvVXR1Qu6XiXec9SHLa1VXU0QmJOBSicQx9qp0=.7A2F0ADB1B90B1
  1527. 47DABB.no_more_ransom
  1528. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1529. MD5: 991dac7cd99303c3beec2c511d5e69bb
  1530. SHA1: 007517900e8ba6b8050cf1573a997e1f3ecf3fa4
  1531. 604 846336
  1532. File
  1533. Open
  1534.  
  1535. C:\ProgramData\System32\xfs
  1536. MD5: 1b872bad3231d1f5b7895c79d95bcf9a
  1537. SHA1: 0b8ea004023d5d1bb02c7b9d842671e674c2b1f5
  1538. 604 998
  1539. File
  1540. Close
  1541.  
  1542. C:\ProgramData\System32\xfs
  1543. MD5: 994dcbd48b9991af156b930045cb72e9
  1544. SHA1: 2e4884b50791276e2e904b2c6504aec25e90bf2f
  1545. 604 1138
  1546. File
  1547. Hide
  1548.  
  1549. C:\ProgramData\System32\xfs
  1550. MD5: 994dcbd48b9991af156b930045cb72e9
  1551. SHA1: 2e4884b50791276e2e904b2c6504aec25e90bf2f
  1552. 604 1138
  1553. File
  1554. Open
  1555.  
  1556. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  1557. 604 879394
  1558. File
  1559. Close
  1560.  
  1561. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  1562. MD5: 129068ff72cbf9de8cd5b8e03fd8e94f
  1563. SHA1: 639df059dfbed864eb2891ca045b65f88c035f5b
  1564. 604 879778
  1565. File
  1566. Open
  1567.  
  1568. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  1569. MD5: 129068ff72cbf9de8cd5b8e03fd8e94f
  1570. SHA1: 639df059dfbed864eb2891ca045b65f88c035f5b
  1571. 604 879778
  1572. File
  1573. Close
  1574.  
  1575. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  1576. MD5: e8573bee38743e11eb978a11be66dcb0
  1577. SHA1: b9190d7363f16ed119e1a8f005ed4b919ecfb6a5
  1578. 604 879792
  1579. File
  1580. Rename
  1581.  
  1582. Old Name: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  1583. New Name: C:\Users\Public\Pictures\Sample Pictures\SSV3w8pmgstpqHUT18WJ02KZK8X8BkgUeli8i++4Ftn09ijdKKeYRg6qljm
  1584. dQd5d.7A2F0ADB1B90B147DABB.no_more_ransom
  1585. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1586. MD5: e8573bee38743e11eb978a11be66dcb0
  1587. SHA1: b9190d7363f16ed119e1a8f005ed4b919ecfb6a5
  1588. 604 879792
  1589. File
  1590. Open
  1591.  
  1592. C:\ProgramData\System32\xfs
  1593. MD5: 994dcbd48b9991af156b930045cb72e9
  1594. SHA1: 2e4884b50791276e2e904b2c6504aec25e90bf2f
  1595. 604 1138
  1596. File
  1597. Close
  1598.  
  1599. C:\ProgramData\System32\xfs
  1600. MD5: 268ca2df059c5a9ce5c26ef6f85d924f
  1601. SHA1: 9501783d1aa3c4fa8eb4976d8f1a5d58b505036b
  1602. 604 1292
  1603. File
  1604. Hide
  1605.  
  1606. C:\ProgramData\System32\xfs
  1607. MD5: 268ca2df059c5a9ce5c26ef6f85d924f
  1608. SHA1: 9501783d1aa3c4fa8eb4976d8f1a5d58b505036b
  1609. 604 1292
  1610. File
  1611. Open
  1612.  
  1613. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
  1614. 604 4842585
  1615. File
  1616. Close
  1617.  
  1618. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
  1619. MD5: c67bbe427a8711f75d2d7d2719417d61
  1620. SHA1: d3a1aa8d8077e6774916c461d07c1721f9773aad
  1621. 604 4842969
  1622. File
  1623. Open
  1624.  
  1625. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
  1626. MD5: c67bbe427a8711f75d2d7d2719417d61
  1627. SHA1: d3a1aa8d8077e6774916c461d07c1721f9773aad
  1628. 604 4842969
  1629. File
  1630. Close
  1631.  
  1632. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
  1633. MD5: f8986b2b08c2fbce2ee85a846a7f001c
  1634. SHA1: cc9f89632d710db0ff9d2ee811807a8015c2f642
  1635. 604 4842976
  1636. File
  1637. Rename
  1638.  
  1639. Old Name: C:\Users\Public\Music\Sample Music\Sleep Away.mp3
  1640. New Name: C:\Users\Public\Music\Sample Music\Hnz3Uc0S-lbrqf7X69HranOJBU35BAtGbdmuXtz7YX8=.7A2F0ADB1B90B147DABB
  1641. .no_more_ransom
  1642. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1643. MD5: f8986b2b08c2fbce2ee85a846a7f001c
  1644. SHA1: cc9f89632d710db0ff9d2ee811807a8015c2f642
  1645. 604 4842976
  1646. File
  1647. Open
  1648.  
  1649. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
  1650. 604 4113874
  1651. File
  1652. Open
  1653.  
  1654. C:\ProgramData\System32\xfs
  1655. MD5: 268ca2df059c5a9ce5c26ef6f85d924f
  1656. SHA1: 9501783d1aa3c4fa8eb4976d8f1a5d58b505036b
  1657. 604 1292
  1658. File
  1659. Close
  1660.  
  1661. C:\ProgramData\System32\xfs
  1662. MD5: f10c079071c47cfd58918e3e72920aa5
  1663. SHA1: a16470bf1d09f96060a918a6b4f0f46a1863888b
  1664. 604 1428
  1665. File
  1666. Hide
  1667.  
  1668. C:\ProgramData\System32\xfs
  1669. MD5: f10c079071c47cfd58918e3e72920aa5
  1670. SHA1: a16470bf1d09f96060a918a6b4f0f46a1863888b
  1671. 604 1428
  1672. API Call
  1673.  
  1674. API Name: Sleep Address: 0x0040e6c8
  1675. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  1676. 604
  1677. ProcessTelemetryReport
  1678.  
  1679. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1680. 604
  1681. Regkey
  1682. Setval
  1683.  
  1684. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 10
  1685. 604
  1686. File
  1687. Close
  1688.  
  1689. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
  1690. MD5: 52ec85f46d9f1164792a3489ecf81009
  1691. SHA1: f7ff3b7fbfb36e2eda9f04e86ef60f2d2bb6cbef
  1692. 604 4114258
  1693. File
  1694. Open
  1695.  
  1696. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
  1697. MD5: 52ec85f46d9f1164792a3489ecf81009
  1698. SHA1: f7ff3b7fbfb36e2eda9f04e86ef60f2d2bb6cbef
  1699. 604 4114258
  1700. File
  1701. Close
  1702.  
  1703. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
  1704. MD5: 5b3f9e01fc83f4f441ad7b67af09f11e
  1705. SHA1: 80a3ee5a53c48bdc94549e0fdfdbaa28ad261c1a
  1706. 604 4114272
  1707. File
  1708. Rename
  1709.  
  1710. Old Name: C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
  1711. New Name: C:\Users\Public\Music\Sample Music\EpG22a-RASJeJaFSbWvusDTLftbNTaghcy35AJsBoRg6Gr7rDhJH+DPMqrAO7VE+A
  1712. VBtZEVXIrcl5OsEpSrNCg==.7A2F0ADB1B90B147DABB.no_more_ransom
  1713. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1714. MD5: 5b3f9e01fc83f4f441ad7b67af09f11e
  1715. SHA1: 80a3ee5a53c48bdc94549e0fdfdbaa28ad261c1a
  1716. 604 4114272
  1717. File
  1718. Open
  1719.  
  1720. C:\ProgramData\System32\xfs
  1721. MD5: f10c079071c47cfd58918e3e72920aa5
  1722. SHA1: a16470bf1d09f96060a918a6b4f0f46a1863888b
  1723. 604 1428
  1724. File
  1725. Close
  1726.  
  1727. C:\ProgramData\System32\xfs
  1728. MD5: 9f0a52ec410dc015bbbdb5006476fbee
  1729. SHA1: 31abdb3951e1fe8c6f6476f75092d58239f4be23
  1730. 604 1594
  1731. File
  1732. Hide
  1733.  
  1734. C:\ProgramData\System32\xfs
  1735. MD5: 9f0a52ec410dc015bbbdb5006476fbee
  1736. SHA1: 31abdb3951e1fe8c6f6476f75092d58239f4be23
  1737. 604 1594
  1738. File
  1739. Open
  1740.  
  1741. C:\Users\Public\Music\Sample Music\Kalimba.mp3
  1742. 604 8414449
  1743. File
  1744. Close
  1745.  
  1746. C:\Users\Public\Music\Sample Music\Kalimba.mp3
  1747. MD5: b15d6f2196d8e2ddd256524f5662276f
  1748. SHA1: c142f307dd2cdddb9979a369c02024e804074d56
  1749. 604 8414833
  1750. File
  1751. Open
  1752.  
  1753. C:\Users\Public\Music\Sample Music\Kalimba.mp3
  1754. MD5: b15d6f2196d8e2ddd256524f5662276f
  1755. SHA1: c142f307dd2cdddb9979a369c02024e804074d56
  1756. 604 8414833
  1757. File
  1758. Close
  1759.  
  1760. C:\Users\Public\Music\Sample Music\Kalimba.mp3
  1761. MD5: 1783edfd94f1bba7359238e705b298db
  1762. SHA1: df3780405e90cea5622471ef3ab094c0191641a8
  1763. 604 8414848
  1764. File
  1765. Rename
  1766.  
  1767. Old Name: C:\Users\Public\Music\Sample Music\Kalimba.mp3
  1768. New Name: C:\Users\Public\Music\Sample Music\FgPA-zefXcNw-zR2AvLhpmeRnLkAQImTuqhcDdL0E9E=.7A2F0ADB1B90B147DABB
  1769. .no_more_ransom
  1770. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  1771. MD5: 1783edfd94f1bba7359238e705b298db
  1772. SHA1: df3780405e90cea5622471ef3ab094c0191641a8
  1773. 604 8414848
  1774. File
  1775. Open
  1776.  
  1777. C:\ProgramData\System32\xfs
  1778. MD5: 9f0a52ec410dc015bbbdb5006476fbee
  1779. SHA1: 31abdb3951e1fe8c6f6476f75092d58239f4be23
  1780. 604 1594
  1781. File
  1782. Close
  1783.  
  1784. C:\ProgramData\System32\xfs
  1785. MD5: d1a4f2392188feb2397890f63cc5c953
  1786. SHA1: 3fd70395c041bca61e57e211552182b36101321d
  1787. 604 1724
  1788. Ransom
  1789.  
  1790. C:\Users\Public\Music\cocpFV_ihD.wav
  1791. MD5: 615f35a9891ba630998f6aa13ef45054
  1792.  
  1793. Malicious Alert
  1794. Ransomware
  1795.  
  1796. Message: Ransomware Activity
  1797.  
  1798. Malicious Alert
  1799. Misc Anom
  1800.  
  1801. Message: Ransomware Activity
  1802.  
  1803. File
  1804. Hide
  1805.  
  1806. C:\ProgramData\System32\xfs
  1807. MD5: d1a4f2392188feb2397890f63cc5c953
  1808. SHA1: 3fd70395c041bca61e57e211552182b36101321d
  1809. 604 1724
  1810. File
  1811. Open
  1812.  
  1813. C:\ProgramData\System32\xfs
  1814. MD5: d1a4f2392188feb2397890f63cc5c953
  1815. SHA1: 3fd70395c041bca61e57e211552182b36101321d
  1816. 604 1724
  1817. File
  1818. Failed
  1819.  
  1820. C:\Users\Public\Documents\My Videos
  1821. 604
  1822. File
  1823. Close
  1824.  
  1825. C:\ProgramData\System32\xfs
  1826. MD5: 4cceb2f587948af3b0d8e06cb1f64bbe
  1827. SHA1: 9b6c5e693f25c392fcda60fcbaca508a94d49e7e
  1828. 604 1834
  1829. File
  1830. Failed
  1831.  
  1832. C:\Users\Public\Documents\My Pictures
  1833. 604
  1834. File
  1835. Failed
  1836.  
  1837. C:\Users\Public\Documents\My Music
  1838. 604
  1839. File
  1840. Hide
  1841.  
  1842. C:\ProgramData\System32\xfs
  1843. MD5: 4cceb2f587948af3b0d8e06cb1f64bbe
  1844. SHA1: 9b6c5e693f25c392fcda60fcbaca508a94d49e7e
  1845. 604 1834
  1846. Ransom
  1847.  
  1848. C:\Users\Public\Documents\cZLDe-\xTnfgLg.jpg
  1849. MD5: e0b0209e3c8107371d32a0cd757f907f
  1850.  
  1851. Ransom
  1852.  
  1853. C:\Users\Public\Documents\cZLDe-\WiPLiBqrX.doc
  1854. MD5: c25bd3988639d7aa8be215a50c5bf089
  1855.  
  1856. Ransom
  1857.  
  1858. C:\Users\Public\Documents\cZLDe-\NxoFCO.xls
  1859. MD5: e17db3c35a95beef2652b2044b08a9d5
  1860.  
  1861. File
  1862. Open
  1863.  
  1864. C:\ProgramData\System32\xfs
  1865. MD5: 4cceb2f587948af3b0d8e06cb1f64bbe
  1866. SHA1: 9b6c5e693f25c392fcda60fcbaca508a94d49e7e
  1867. 604 1834
  1868. File
  1869. Close
  1870.  
  1871. C:\ProgramData\System32\xfs
  1872. MD5: a91b81161b47cb9f591c1b8312201022
  1873. SHA1: 7a6712f8a35290edccd948478c2ea884aa1cf15d
  1874. 604 2022
  1875. File
  1876. Hide
  1877.  
  1878. C:\ProgramData\System32\xfs
  1879. MD5: a91b81161b47cb9f591c1b8312201022
  1880. SHA1: 7a6712f8a35290edccd948478c2ea884aa1cf15d
  1881. 604 2022
  1882. Ransom
  1883.  
  1884. C:\Users\Public\Documents\cZLDe-\LG-Lu.txt
  1885. MD5: 0a7d2ce4812613c448457291faa21395
  1886.  
  1887. File
  1888. Open
  1889.  
  1890. C:\ProgramData\System32\xfs
  1891. MD5: a91b81161b47cb9f591c1b8312201022
  1892. SHA1: 7a6712f8a35290edccd948478c2ea884aa1cf15d
  1893. 604 2022
  1894. File
  1895. Close
  1896.  
  1897. C:\ProgramData\System32\xfs
  1898. MD5: 96248bd1ec5f8e539800db84f2e97f3e
  1899. SHA1: 991d080d499317fa1d77d436bfba1c6d93fd42bc
  1900. 604 2146
  1901. File
  1902. Hide
  1903.  
  1904. C:\ProgramData\System32\xfs
  1905. MD5: 96248bd1ec5f8e539800db84f2e97f3e
  1906. SHA1: 991d080d499317fa1d77d436bfba1c6d93fd42bc
  1907. 604 2146
  1908. Ransom
  1909.  
  1910. C:\Users\Public\Documents\cZLDe-\cyhuszTB.html
  1911. MD5: e643ac556bc2ebc061394e77fdad5f8a
  1912.  
  1913. File
  1914. Open
  1915.  
  1916. C:\ProgramData\System32\xfs
  1917. MD5: 96248bd1ec5f8e539800db84f2e97f3e
  1918. SHA1: 991d080d499317fa1d77d436bfba1c6d93fd42bc
  1919. 604 2146
  1920. File
  1921. Close
  1922.  
  1923. C:\ProgramData\System32\xfs
  1924. MD5: 56ea7cb505271706cb2974c749cf6aed
  1925. SHA1: f4e3373ce1e95fe99e06890b06f731600f90e47d
  1926. 604 2268
  1927. File
  1928. Hide
  1929.  
  1930. C:\ProgramData\System32\xfs
  1931. MD5: 56ea7cb505271706cb2974c749cf6aed
  1932. SHA1: f4e3373ce1e95fe99e06890b06f731600f90e47d
  1933. 604 2268
  1934. Ransom
  1935.  
  1936. C:\Users\Public\Documents\cZLDe-\CAMEu.ppt
  1937. MD5: adf9de9ecd1bd9da5beb369d4e200bbc
  1938.  
  1939. File
  1940. Open
  1941.  
  1942. C:\ProgramData\System32\xfs
  1943. MD5: 56ea7cb505271706cb2974c749cf6aed
  1944. SHA1: f4e3373ce1e95fe99e06890b06f731600f90e47d
  1945. 604 2268
  1946. File
  1947. Close
  1948.  
  1949. C:\ProgramData\System32\xfs
  1950. MD5: 16c2db7f9420440cdb48f666e8101fb9
  1951. SHA1: c4a9d85e5c35abffd4ffa70089d484e9703c0767
  1952. 604 2398
  1953. File
  1954. Hide
  1955.  
  1956. C:\ProgramData\System32\xfs
  1957. MD5: 16c2db7f9420440cdb48f666e8101fb9
  1958. SHA1: c4a9d85e5c35abffd4ffa70089d484e9703c0767
  1959. 604 2398
  1960. File
  1961. Failed
  1962.  
  1963. C:\Users\Default User
  1964. 604
  1965. File
  1966. Open
  1967.  
  1968. C:\ProgramData\System32\xfs
  1969. MD5: 16c2db7f9420440cdb48f666e8101fb9
  1970. SHA1: c4a9d85e5c35abffd4ffa70089d484e9703c0767
  1971. 604 2398
  1972. File
  1973. Close
  1974.  
  1975. C:\ProgramData\System32\xfs
  1976. MD5: 6b82c25051991da4145c958aedd3c587
  1977. SHA1: dc822231e62f03a6198be7435f1360ff28ae53d7
  1978. 604 2520
  1979. File
  1980. Hide
  1981.  
  1982. C:\ProgramData\System32\xfs
  1983. MD5: 6b82c25051991da4145c958aedd3c587
  1984. SHA1: dc822231e62f03a6198be7435f1360ff28ae53d7
  1985. 604 2520
  1986. File
  1987. Failed
  1988.  
  1989. C:\Users\Default\Templates
  1990. 604
  1991. File
  1992. Failed
  1993.  
  1994. C:\Users\Default\Start Menu
  1995. 604
  1996. File
  1997. Failed
  1998.  
  1999. C:\Users\Default\SendTo
  2000. 604
  2001. File
  2002. Failed
  2003.  
  2004. C:\Users\Default\Recent
  2005. 604
  2006. File
  2007. Failed
  2008.  
  2009. C:\Users\Default\PrintHood
  2010. 604
  2011. File
  2012. Failed
  2013.  
  2014. C:\Users\Default\NetHood
  2015. 604
  2016. File
  2017. Failed
  2018.  
  2019. C:\Users\Default\My Documents
  2020. 604
  2021. File
  2022. Failed
  2023.  
  2024. C:\Users\Default\Local Settings
  2025. 604
  2026. File
  2027. Failed
  2028.  
  2029. C:\Users\Default\Documents\My Videos
  2030. 604
  2031. File
  2032. Failed
  2033.  
  2034. C:\Users\Default\Documents\My Pictures
  2035. 604
  2036. File
  2037. Failed
  2038.  
  2039. C:\Users\Default\Documents\My Music
  2040. 604
  2041. File
  2042. Failed
  2043.  
  2044. C:\Users\Default\Cookies
  2045. 604
  2046. File
  2047. Failed
  2048.  
  2049. C:\Users\Default\Application Data
  2050. 604
  2051. Folder
  2052. Open
  2053.  
  2054. C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
  2055. 604
  2056. File
  2057. Failed
  2058.  
  2059. C:\Users\Default\AppData\Local\Temporary Internet Files
  2060. 604
  2061. File
  2062. Failed
  2063.  
  2064. C:\Users\Default\AppData\Local\History
  2065. 604
  2066. File
  2067. Failed
  2068.  
  2069. C:\Users\Default\AppData\Local\Application Data
  2070. 604
  2071. File
  2072. Open
  2073.  
  2074. C:\Users\Default\NTUSER.DAT.LOG
  2075. 604 1024
  2076. File
  2077. Close
  2078.  
  2079. C:\Users\Default\NTUSER.DAT.LOG
  2080. MD5: 1d37b69cef8145013c7c4519e74a3e05
  2081. SHA1: 00966e36b522b98fb24387a6a372d54dbfae959f
  2082. 604 1408
  2083. File
  2084. Open
  2085.  
  2086. C:\Users\Default\NTUSER.DAT.LOG
  2087. MD5: 1d37b69cef8145013c7c4519e74a3e05
  2088. SHA1: 00966e36b522b98fb24387a6a372d54dbfae959f
  2089. 604 1408
  2090. File
  2091. Close
  2092.  
  2093. C:\Users\Default\NTUSER.DAT.LOG
  2094. MD5: a68649a030493c9a3fced34a9ce79a7e
  2095. SHA1: a6a8cd80c4047637cf2be65df9170f86b2262614
  2096. 604 1408
  2097. File
  2098. Rename
  2099.  
  2100. Old Name: C:\Users\Default\NTUSER.DAT.LOG
  2101. New Name: C:\Users\Default\BQhNoa4s-9gCT5aupZN6EbhSBui8gZbaRaM-QkkmIH0=.7A2F0ADB1B90B147DABB.no_more_ransom
  2102. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2103. MD5: a68649a030493c9a3fced34a9ce79a7e
  2104. SHA1: a6a8cd80c4047637cf2be65df9170f86b2262614
  2105. 604 1408
  2106. File
  2107. Failed
  2108.  
  2109. C:\ProgramData\Templates
  2110. 604
  2111. File
  2112. Open
  2113.  
  2114. C:\ProgramData\System32\xfs
  2115. MD5: 6b82c25051991da4145c958aedd3c587
  2116. SHA1: dc822231e62f03a6198be7435f1360ff28ae53d7
  2117. 604 2520
  2118. File
  2119. Close
  2120.  
  2121. C:\ProgramData\System32\xfs
  2122. MD5: 7324dcd92102e0493238e75bfb9f54bf
  2123. SHA1: 9e2d759db27084b0081a8798885fc5aeeb68195a
  2124. 604 2620
  2125. File
  2126. Hide
  2127.  
  2128. C:\ProgramData\System32\xfs
  2129. MD5: 7324dcd92102e0493238e75bfb9f54bf
  2130. SHA1: 9e2d759db27084b0081a8798885fc5aeeb68195a
  2131. 604 2620
  2132. File
  2133. Open
  2134.  
  2135. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
  2136. 604 185
  2137. File
  2138. Close
  2139.  
  2140. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
  2141. MD5: bf79db17f612fd0716bd9170bcd87a44
  2142. SHA1: 2a4a45d42c9343831b44b3bfee81a99e19ad236e
  2143. 604 569
  2144. File
  2145. Open
  2146.  
  2147. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
  2148. MD5: bf79db17f612fd0716bd9170bcd87a44
  2149. SHA1: 2a4a45d42c9343831b44b3bfee81a99e19ad236e
  2150. 604 569
  2151. File
  2152. Close
  2153.  
  2154. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
  2155. MD5: 45f89a51335bc5ab6dc2ec60daad3e9e
  2156. SHA1: 36be167bb9eb1d819bd2526153f560fbada3e067
  2157. 604 576
  2158. File
  2159. Rename
  2160.  
  2161. Old Name: C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
  2162. New Name: C:\ProgramData\Sun\Java\Java Update\fYkCjj2U4HrlixMS2nUUVqyPc1sypGnN3YbW3H3bHbQ=.7A2F0ADB1B90B147DAB
  2163. B.no_more_ransom
  2164. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2165. MD5: 45f89a51335bc5ab6dc2ec60daad3e9e
  2166. SHA1: 36be167bb9eb1d819bd2526153f560fbada3e067
  2167. 604 576
  2168. File
  2169. Failed
  2170.  
  2171. C:\ProgramData\Start Menu
  2172. 604
  2173. File
  2174. Open
  2175.  
  2176. C:\ProgramData\System32\xfs
  2177. MD5: 7324dcd92102e0493238e75bfb9f54bf
  2178. SHA1: 9e2d759db27084b0081a8798885fc5aeeb68195a
  2179. 604 2620
  2180. File
  2181. Close
  2182.  
  2183. C:\ProgramData\System32\xfs
  2184. MD5: e55b310507ede3a193041b7956e3851a
  2185. SHA1: b0564de0148a5c0dbf0ba9f47fe218af55951e10
  2186. 604 2766
  2187. File
  2188. Hide
  2189.  
  2190. C:\ProgramData\System32\xfs
  2191. MD5: e55b310507ede3a193041b7956e3851a
  2192. SHA1: b0564de0148a5c0dbf0ba9f47fe218af55951e10
  2193. 604 2766
  2194. File
  2195. Open
  2196.  
  2197. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
  2198. 604 12021
  2199. File
  2200. Close
  2201.  
  2202. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
  2203. MD5: 2777bcceafc88c5f3635c4c848df6a29
  2204. SHA1: 3f001b3a8d45013ba5608078fcd97e85c02e147d
  2205. 604 12405
  2206. File
  2207. Open
  2208.  
  2209. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
  2210. MD5: 2777bcceafc88c5f3635c4c848df6a29
  2211. SHA1: 3f001b3a8d45013ba5608078fcd97e85c02e147d
  2212. 604 12405
  2213. File
  2214. Close
  2215.  
  2216. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
  2217. MD5: 6004bdd76a27d75493790767c7df3811
  2218. SHA1: 0dc21a79945f6bf787238409bdfd5f1c963e311f
  2219. 604 12416
  2220. File
  2221. Rename
  2222.  
  2223. Old Name: C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
  2224. New Name: C:\ProgramData\RealNetworks\RealDownloader\Scripts\PYFOq5l4lSRFeX3z6RtrpN5Tg3Kd1AWB-NmFIXE36+g=.7A2F
  2225. 0ADB1B90B147DABB.no_more_ransom
  2226. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2227. MD5: 6004bdd76a27d75493790767c7df3811
  2228. SHA1: 0dc21a79945f6bf787238409bdfd5f1c963e311f
  2229. 604 12416
  2230. File
  2231. Open
  2232.  
  2233. C:\ProgramData\System32\xfs
  2234. MD5: e55b310507ede3a193041b7956e3851a
  2235. SHA1: b0564de0148a5c0dbf0ba9f47fe218af55951e10
  2236. 604 2766
  2237. File
  2238. Close
  2239.  
  2240. C:\ProgramData\System32\xfs
  2241. MD5: 380f12b8a50094222da495f9ca461bd7
  2242. SHA1: d552545fa355133decefbeb85b162a836b753bcf
  2243. 604 2936
  2244. File
  2245. Hide
  2246.  
  2247. C:\ProgramData\System32\xfs
  2248. MD5: 380f12b8a50094222da495f9ca461bd7
  2249. SHA1: d552545fa355133decefbeb85b162a836b753bcf
  2250. 604 2936
  2251. File
  2252. Open
  2253.  
  2254. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
  2255. 604 860148
  2256. File
  2257. Close
  2258.  
  2259. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
  2260. MD5: 47267d3bf7b348b0e57f6dcb78805661
  2261. SHA1: bef6cdc18df5747147ac16b4688501188d20640a
  2262. 604 860532
  2263. File
  2264. Open
  2265.  
  2266. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
  2267. MD5: 47267d3bf7b348b0e57f6dcb78805661
  2268. SHA1: bef6cdc18df5747147ac16b4688501188d20640a
  2269. 604 860532
  2270. File
  2271. Close
  2272.  
  2273. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
  2274. MD5: db807af7c8df283ae927b50dc6b212e7
  2275. SHA1: 909c5802798cfa8afd84ffb21fbdeefd4bcf2cac
  2276. 604 860544
  2277. File
  2278. Rename
  2279.  
  2280. Old Name: C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
  2281. New Name: C:\ProgramData\RealNetworks\RealDownloader\Flash\po7-b-4o652uQo5+N7pcKtl8hE2UfB5lQjtRNi5-Veg=.7A2F0A
  2282. DB1B90B147DABB.no_more_ransom
  2283. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2284. MD5: db807af7c8df283ae927b50dc6b212e7
  2285. SHA1: 909c5802798cfa8afd84ffb21fbdeefd4bcf2cac
  2286. 604 860544
  2287. File
  2288. Open
  2289.  
  2290. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
  2291. 604 80
  2292. File
  2293. Open
  2294.  
  2295. C:\ProgramData\System32\xfs
  2296. MD5: 380f12b8a50094222da495f9ca461bd7
  2297. SHA1: d552545fa355133decefbeb85b162a836b753bcf
  2298. 604 2936
  2299. File
  2300. Close
  2301.  
  2302. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
  2303. MD5: 2a5c34227a08c0d1979539b2810aa152
  2304. SHA1: d310663b2de46d2997346f973e98760eb95ae893
  2305. 604 464
  2306. File
  2307. Open
  2308.  
  2309. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
  2310. MD5: 2a5c34227a08c0d1979539b2810aa152
  2311. SHA1: d310663b2de46d2997346f973e98760eb95ae893
  2312. 604 464
  2313. File
  2314. Close
  2315.  
  2316. C:\ProgramData\System32\xfs
  2317. MD5: 4fd5c02485a2269752bbc264f2563765
  2318. SHA1: 69d438edd9d50432acaaa57a2779a88427714ce9
  2319. 604 3108
  2320. File
  2321. Hide
  2322.  
  2323. C:\ProgramData\System32\xfs
  2324. MD5: 4fd5c02485a2269752bbc264f2563765
  2325. SHA1: 69d438edd9d50432acaaa57a2779a88427714ce9
  2326. 604 3108
  2327. File
  2328. Close
  2329.  
  2330. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
  2331. MD5: 77be20c155412a250a496ce69217c3fd
  2332. SHA1: ca10edfaf3cf553166c1db1ff5d1831e01639999
  2333. 604 464
  2334. File
  2335. Rename
  2336.  
  2337. Old Name: C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
  2338. New Name: C:\ProgramData\RealNetworks\RealDownloader\Downloader\vARsbs6vUdVDw1NVEw7MkNNNSCDYGOUWYvlPPV1ZPEc=.7
  2339. A2F0ADB1B90B147DABB.no_more_ransom
  2340. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2341. MD5: 77be20c155412a250a496ce69217c3fd
  2342. SHA1: ca10edfaf3cf553166c1db1ff5d1831e01639999
  2343. 604 464
  2344. File
  2345. Open
  2346.  
  2347. C:\ProgramData\System32\xfs
  2348. MD5: 4fd5c02485a2269752bbc264f2563765
  2349. SHA1: 69d438edd9d50432acaaa57a2779a88427714ce9
  2350. 604 3108
  2351. File
  2352. Close
  2353.  
  2354. C:\ProgramData\System32\xfs
  2355. MD5: f1612e4d2ed195dbd4d1fb16e235fd6c
  2356. SHA1: a0c62175588d5988da8dd780a13a7f68f5d1cd8f
  2357. 604 3292
  2358. File
  2359. Hide
  2360.  
  2361. C:\ProgramData\System32\xfs
  2362. MD5: f1612e4d2ed195dbd4d1fb16e235fd6c
  2363. SHA1: a0c62175588d5988da8dd780a13a7f68f5d1cd8f
  2364. 604 3292
  2365. File
  2366. Open
  2367.  
  2368. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
  2369. 604 6783
  2370. File
  2371. Close
  2372.  
  2373. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
  2374. MD5: c184b54247e762e885cb1ebffa41fa4e
  2375. SHA1: d8f7c6d3b071be3c3461cb9d74ded4c088f061ec
  2376. 604 7167
  2377. File
  2378. Open
  2379.  
  2380. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
  2381. MD5: c184b54247e762e885cb1ebffa41fa4e
  2382. SHA1: d8f7c6d3b071be3c3461cb9d74ded4c088f061ec
  2383. 604 7167
  2384. File
  2385. Close
  2386.  
  2387. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
  2388. MD5: 694b42cee7cceb3c033c0e6a6152b728
  2389. SHA1: 8fec98d6b2f6b8416d73064fb1adc58d68d7382e
  2390. 604 7168
  2391. File
  2392. Rename
  2393.  
  2394. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
  2395. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Yms2LC7ttj7D3RR+pa45+Q==.7A2F0ADB1B90B147D
  2396. ABB.no_more_ransom
  2397. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2398. MD5: 694b42cee7cceb3c033c0e6a6152b728
  2399. SHA1: 8fec98d6b2f6b8416d73064fb1adc58d68d7382e
  2400. 604 7168
  2401. File
  2402. Open
  2403.  
  2404. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
  2405. 604 6691
  2406. File
  2407. Open
  2408.  
  2409. C:\ProgramData\System32\xfs
  2410. MD5: f1612e4d2ed195dbd4d1fb16e235fd6c
  2411. SHA1: a0c62175588d5988da8dd780a13a7f68f5d1cd8f
  2412. 604 3292
  2413. File
  2414. Close
  2415.  
  2416. C:\ProgramData\System32\xfs
  2417. MD5: 088b3d2587573b18d49654409f5269d8
  2418. SHA1: 5b7d647a6279cbab8fa085eb55fbaed7fbd34d9f
  2419. 604 3470
  2420. File
  2421. Hide
  2422.  
  2423. C:\ProgramData\System32\xfs
  2424. MD5: 088b3d2587573b18d49654409f5269d8
  2425. SHA1: 5b7d647a6279cbab8fa085eb55fbaed7fbd34d9f
  2426. 604 3470
  2427. File
  2428. Close
  2429.  
  2430. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
  2431. MD5: 5be94aa15d27bd5c6d2d44dfd800808e
  2432. SHA1: fc419c9b0af50ab3664b13f96fafd8cd11a298ad
  2433. 604 7075
  2434. File
  2435. Open
  2436.  
  2437. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
  2438. MD5: 5be94aa15d27bd5c6d2d44dfd800808e
  2439. SHA1: fc419c9b0af50ab3664b13f96fafd8cd11a298ad
  2440. 604 7075
  2441. File
  2442. Close
  2443.  
  2444. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
  2445. MD5: 273ae25a20a9c161bd04f95d407966ff
  2446. SHA1: e786377cddf92230676e9b58819357c766cdb990
  2447. 604 7088
  2448. File
  2449. Rename
  2450.  
  2451. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
  2452. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\lhtH9E-Z3zcCvX9fWVoxcXIB1b+hI5zsZSjTNvKe2j
  2453. U=.7A2F0ADB1B90B147DABB.no_more_ransom
  2454. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2455. MD5: 273ae25a20a9c161bd04f95d407966ff
  2456. SHA1: e786377cddf92230676e9b58819357c766cdb990
  2457. 604 7088
  2458. File
  2459. Open
  2460.  
  2461. C:\ProgramData\System32\xfs
  2462. MD5: 088b3d2587573b18d49654409f5269d8
  2463. SHA1: 5b7d647a6279cbab8fa085eb55fbaed7fbd34d9f
  2464. 604 3470
  2465. File
  2466. Close
  2467.  
  2468. C:\ProgramData\System32\xfs
  2469. MD5: 1108642c696e20c0ef5c60d41505216d
  2470. SHA1: 31864df068aa180dff0d79eba38bb877fafda7fd
  2471. 604 3654
  2472. File
  2473. Hide
  2474.  
  2475. C:\ProgramData\System32\xfs
  2476. MD5: 1108642c696e20c0ef5c60d41505216d
  2477. SHA1: 31864df068aa180dff0d79eba38bb877fafda7fd
  2478. 604 3654
  2479. File
  2480. Open
  2481.  
  2482. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
  2483. 604 4649
  2484. File
  2485. Close
  2486.  
  2487. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
  2488. MD5: 1a9a423a6ecfe4f81e830a2371df7cf3
  2489. SHA1: 08e596a9583235e347b45185dc92e241b1e6a6f1
  2490. 604 5033
  2491. File
  2492. Open
  2493.  
  2494. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
  2495. MD5: 1a9a423a6ecfe4f81e830a2371df7cf3
  2496. SHA1: 08e596a9583235e347b45185dc92e241b1e6a6f1
  2497. 604 5033
  2498. File
  2499. Close
  2500.  
  2501. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
  2502. MD5: 145fc2015bc840e07a1efac5ccc0b846
  2503. SHA1: e6c8f81e25e5ebf316fca7cb78c6c5e233fa13bd
  2504. 604 5040
  2505. File
  2506. Rename
  2507.  
  2508. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
  2509. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\KSJA8NBynNjzop7lpo3ut8TML0b0mWFEdUs90KMdh1
  2510. s=.7A2F0ADB1B90B147DABB.no_more_ransom
  2511. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2512. MD5: 145fc2015bc840e07a1efac5ccc0b846
  2513. SHA1: e6c8f81e25e5ebf316fca7cb78c6c5e233fa13bd
  2514. 604 5040
  2515. File
  2516. Open
  2517.  
  2518. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
  2519. 604 5363
  2520. File
  2521. Open
  2522.  
  2523. C:\ProgramData\System32\xfs
  2524. MD5: 1108642c696e20c0ef5c60d41505216d
  2525. SHA1: 31864df068aa180dff0d79eba38bb877fafda7fd
  2526. 604 3654
  2527. File
  2528. Close
  2529.  
  2530. C:\ProgramData\System32\xfs
  2531. MD5: 808401175319073e68d6cf269dfff305
  2532. SHA1: 6d30278c69e379eab8fd25ece7186d2bee126c5f
  2533. 604 3844
  2534. File
  2535. Hide
  2536.  
  2537. C:\ProgramData\System32\xfs
  2538. MD5: 808401175319073e68d6cf269dfff305
  2539. SHA1: 6d30278c69e379eab8fd25ece7186d2bee126c5f
  2540. 604 3844
  2541. File
  2542. Close
  2543.  
  2544. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
  2545. MD5: ea25ddae9cbfc44dee48ab4c094e92a6
  2546. SHA1: 17c8acaf8efd005770b9e24d64d39623832214f8
  2547. 604 5747
  2548. File
  2549. Open
  2550.  
  2551. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
  2552. MD5: ea25ddae9cbfc44dee48ab4c094e92a6
  2553. SHA1: 17c8acaf8efd005770b9e24d64d39623832214f8
  2554. 604 5747
  2555. File
  2556. Close
  2557.  
  2558. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
  2559. MD5: efb2876d81d1c067f11512549cffcc6e
  2560. SHA1: 0412c57773f0a66c860cbc0ba7a6e15a6f4b45fe
  2561. 604 5760
  2562. File
  2563. Rename
  2564.  
  2565. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
  2566. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\02imqzJMzhdtLtqkdBHUUKrRFdn16zvLyxuB5i4LOV
  2567. oA3G1YkJs9ouhuLE+sjqXX.7A2F0ADB1B90B147DABB.no_more_ransom
  2568. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2569. MD5: efb2876d81d1c067f11512549cffcc6e
  2570. SHA1: 0412c57773f0a66c860cbc0ba7a6e15a6f4b45fe
  2571. 604 5760
  2572. File
  2573. Open
  2574.  
  2575. C:\ProgramData\System32\xfs
  2576. MD5: 808401175319073e68d6cf269dfff305
  2577. SHA1: 6d30278c69e379eab8fd25ece7186d2bee126c5f
  2578. 604 3844
  2579. File
  2580. Close
  2581.  
  2582. C:\ProgramData\System32\xfs
  2583. MD5: 9ab60b58240e908524497674b4b541c8
  2584. SHA1: 0747b2855ab4345075253c71ffd465ef618e3f38
  2585. 604 4046
  2586. File
  2587. Hide
  2588.  
  2589. C:\ProgramData\System32\xfs
  2590. MD5: 9ab60b58240e908524497674b4b541c8
  2591. SHA1: 0747b2855ab4345075253c71ffd465ef618e3f38
  2592. 604 4046
  2593. File
  2594. Open
  2595.  
  2596. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
  2597. 604 4014
  2598. File
  2599. Close
  2600.  
  2601. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
  2602. MD5: 387ba605bda41d97ff79dc82d437095f
  2603. SHA1: 7179f123148025273b93826d3362782deddc0788
  2604. 604 4398
  2605. File
  2606. Open
  2607.  
  2608. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
  2609. MD5: 387ba605bda41d97ff79dc82d437095f
  2610. SHA1: 7179f123148025273b93826d3362782deddc0788
  2611. 604 4398
  2612. File
  2613. Close
  2614.  
  2615. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
  2616. MD5: fa2e7e1279155e7667a7530092cf86a0
  2617. SHA1: 6a255067887d856ec8e7154e183a8d8640c0c522
  2618. 604 4400
  2619. File
  2620. Rename
  2621.  
  2622. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
  2623. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\uninQwZmvkMwO8A8L4h-c+Q-Rw9QGP2HqclnC+uHHV
  2624. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
  2625. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2626. MD5: fa2e7e1279155e7667a7530092cf86a0
  2627. SHA1: 6a255067887d856ec8e7154e183a8d8640c0c522
  2628. 604 4400
  2629. File
  2630. Open
  2631.  
  2632. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
  2633. 604 7105
  2634. File
  2635. Open
  2636.  
  2637. C:\ProgramData\System32\xfs
  2638. MD5: 9ab60b58240e908524497674b4b541c8
  2639. SHA1: 0747b2855ab4345075253c71ffd465ef618e3f38
  2640. 604 4046
  2641. File
  2642. Close
  2643.  
  2644. C:\ProgramData\System32\xfs
  2645. MD5: 51229eaef48abc70e448fbeea34076b5
  2646. SHA1: 1aa762f1c13a735573968dc6487c024e9ed658ef
  2647. 604 4232
  2648. File
  2649. Hide
  2650.  
  2651. C:\ProgramData\System32\xfs
  2652. MD5: 51229eaef48abc70e448fbeea34076b5
  2653. SHA1: 1aa762f1c13a735573968dc6487c024e9ed658ef
  2654. 604 4232
  2655. File
  2656. Close
  2657.  
  2658. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
  2659. MD5: 4d279b826e54a73726b5d9fbb8df7888
  2660. SHA1: 42ab163c3e8234203a8dcc54bfc2b85b4f469f79
  2661. 604 7489
  2662. File
  2663. Open
  2664.  
  2665. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
  2666. MD5: 4d279b826e54a73726b5d9fbb8df7888
  2667. SHA1: 42ab163c3e8234203a8dcc54bfc2b85b4f469f79
  2668. 604 7489
  2669. File
  2670. Close
  2671.  
  2672. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
  2673. MD5: 2ea94923c9e3df1d2c39f25469d3602f
  2674. SHA1: 49358c1987aa7f4f58151938cf1f6bd3765c8d5d
  2675. 604 7504
  2676. File
  2677. Rename
  2678.  
  2679. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
  2680. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\exkuUO7i5KEr5Y3HiFe3Tw0WAJK9y9uMqff6AwrPuE
  2681. +zdVR8rA+pf86L6n2TPRmq.7A2F0ADB1B90B147DABB.no_more_ransom
  2682. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2683. MD5: 2ea94923c9e3df1d2c39f25469d3602f
  2684. SHA1: 49358c1987aa7f4f58151938cf1f6bd3765c8d5d
  2685. 604 7504
  2686. File
  2687. Open
  2688.  
  2689. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
  2690. 604 5458
  2691. File
  2692. Open
  2693.  
  2694. C:\ProgramData\System32\xfs
  2695. MD5: 51229eaef48abc70e448fbeea34076b5
  2696. SHA1: 1aa762f1c13a735573968dc6487c024e9ed658ef
  2697. 604 4232
  2698. File
  2699. Close
  2700.  
  2701. C:\ProgramData\System32\xfs
  2702. MD5: 73996aa8e26096f4cc1483ca84028531
  2703. SHA1: 0c10264059ee938303937982abd0338ebb3c3671
  2704. 604 4428
  2705. File
  2706. Hide
  2707.  
  2708. C:\ProgramData\System32\xfs
  2709. MD5: 73996aa8e26096f4cc1483ca84028531
  2710. SHA1: 0c10264059ee938303937982abd0338ebb3c3671
  2711. 604 4428
  2712. File
  2713. Close
  2714.  
  2715. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
  2716. MD5: 240d2245dcd494f5d6fb5fc8da67f1a6
  2717. SHA1: 09dabe48ea2155c85b46016c5cf8efccb8dae39d
  2718. 604 5842
  2719. File
  2720. Open
  2721.  
  2722. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
  2723. MD5: 240d2245dcd494f5d6fb5fc8da67f1a6
  2724. SHA1: 09dabe48ea2155c85b46016c5cf8efccb8dae39d
  2725. 604 5842
  2726. File
  2727. Close
  2728.  
  2729. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
  2730. MD5: 5ea0553c92edf8510769d036fff1759a
  2731. SHA1: 6bee3ed7e2bb5e74bcbb6795af7f60cc78713783
  2732. 604 5856
  2733. File
  2734. Rename
  2735.  
  2736. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
  2737. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\0FhNN0+4a7HQlHd82oMsdwGQ2or3MsmZdaJ6U6ubTu
  2738. 6oFvmrSofqF+zoc7VmnkuV.7A2F0ADB1B90B147DABB.no_more_ransom
  2739. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2740. MD5: 5ea0553c92edf8510769d036fff1759a
  2741. SHA1: 6bee3ed7e2bb5e74bcbb6795af7f60cc78713783
  2742. 604 5856
  2743. File
  2744. Open
  2745.  
  2746. C:\ProgramData\System32\xfs
  2747. MD5: 73996aa8e26096f4cc1483ca84028531
  2748. SHA1: 0c10264059ee938303937982abd0338ebb3c3671
  2749. 604 4428
  2750. File
  2751. Close
  2752.  
  2753. C:\ProgramData\System32\xfs
  2754. MD5: 8371abd406c44d480e2381fc98b089d3
  2755. SHA1: 9c6098a35f9dd90379df3ab618172e5bc0e24873
  2756. 604 4624
  2757. File
  2758. Open
  2759.  
  2760. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
  2761. 604 6033
  2762. File
  2763. Hide
  2764.  
  2765. C:\ProgramData\System32\xfs
  2766. MD5: 8371abd406c44d480e2381fc98b089d3
  2767. SHA1: 9c6098a35f9dd90379df3ab618172e5bc0e24873
  2768. 604 4624
  2769. File
  2770. Close
  2771.  
  2772. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
  2773. MD5: 75eaa5e6d3485132d3246184e042f8f8
  2774. SHA1: b67eafe273faef4899f95abc6b6de9a662528be6
  2775. 604 6417
  2776. File
  2777. Open
  2778.  
  2779. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
  2780. MD5: 75eaa5e6d3485132d3246184e042f8f8
  2781. SHA1: b67eafe273faef4899f95abc6b6de9a662528be6
  2782. 604 6417
  2783. File
  2784. Close
  2785.  
  2786. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
  2787. MD5: af133ce0dd7d1bab614fb4ed16e0fc9c
  2788. SHA1: 05b721cf2dbc26ea6f3556cdfdddda0cf79cf18e
  2789. 604 6432
  2790. File
  2791. Rename
  2792.  
  2793. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
  2794. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NgcaHL0pivRAgpFzavanafFxCnQer4R31jAyJZTTIn
  2795. Q=.7A2F0ADB1B90B147DABB.no_more_ransom
  2796. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2797. MD5: af133ce0dd7d1bab614fb4ed16e0fc9c
  2798. SHA1: 05b721cf2dbc26ea6f3556cdfdddda0cf79cf18e
  2799. 604 6432
  2800. File
  2801. Open
  2802.  
  2803. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
  2804. 604 9171
  2805. File
  2806. Open
  2807.  
  2808. C:\ProgramData\System32\xfs
  2809. MD5: 8371abd406c44d480e2381fc98b089d3
  2810. SHA1: 9c6098a35f9dd90379df3ab618172e5bc0e24873
  2811. 604 4624
  2812. File
  2813. Close
  2814.  
  2815. C:\ProgramData\System32\xfs
  2816. MD5: f2ac000a81aa51bc5d48674a30a4f1e0
  2817. SHA1: 3f241b98cf33675d97c50615d1671940ec28e60d
  2818. 604 4816
  2819. File
  2820. Hide
  2821.  
  2822. C:\ProgramData\System32\xfs
  2823. MD5: f2ac000a81aa51bc5d48674a30a4f1e0
  2824. SHA1: 3f241b98cf33675d97c50615d1671940ec28e60d
  2825. 604 4816
  2826. File
  2827. Close
  2828.  
  2829. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
  2830. MD5: 2d00bddb3a54e51e000065f2d8ebaddf
  2831. SHA1: 35264efacba25d061b3864cdecfaf18b450ce0ce
  2832. 604 9555
  2833. File
  2834. Open
  2835.  
  2836. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
  2837. MD5: 2d00bddb3a54e51e000065f2d8ebaddf
  2838. SHA1: 35264efacba25d061b3864cdecfaf18b450ce0ce
  2839. 604 9555
  2840. File
  2841. Close
  2842.  
  2843. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
  2844. MD5: 1cf144adac94cd537b47ee4f21dd10d6
  2845. SHA1: f1cf3fec6341874c5896d9d63a84f7c6cb97bfc5
  2846. 604 9568
  2847. File
  2848. Rename
  2849.  
  2850. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
  2851. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\oupMqDzQmWdjlHlZ6TG+YuKeqrFOGJf4hNcwrq3y6H
  2852. 8TtYV8hLU5KWpQS7-jd-jQ.7A2F0ADB1B90B147DABB.no_more_ransom
  2853. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2854. MD5: 1cf144adac94cd537b47ee4f21dd10d6
  2855. SHA1: f1cf3fec6341874c5896d9d63a84f7c6cb97bfc5
  2856. 604 9568
  2857. File
  2858. Open
  2859.  
  2860. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
  2861. 604 9459
  2862. File
  2863. Open
  2864.  
  2865. C:\ProgramData\System32\xfs
  2866. MD5: f2ac000a81aa51bc5d48674a30a4f1e0
  2867. SHA1: 3f241b98cf33675d97c50615d1671940ec28e60d
  2868. 604 4816
  2869. File
  2870. Close
  2871.  
  2872. C:\ProgramData\System32\xfs
  2873. MD5: 63c80283c4e2f69c8a70a5f9e8ab395f
  2874. SHA1: bbb0fb6287db67eed652409a40df563edb241c24
  2875. 604 5016
  2876. File
  2877. Hide
  2878.  
  2879. C:\ProgramData\System32\xfs
  2880. MD5: 63c80283c4e2f69c8a70a5f9e8ab395f
  2881. SHA1: bbb0fb6287db67eed652409a40df563edb241c24
  2882. 604 5016
  2883. File
  2884. Close
  2885.  
  2886. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
  2887. MD5: d4dc9df19bcb162fe81194e9d5ad3a33
  2888. SHA1: 6eca36042a9eccef37b9d0db15550377b40243b8
  2889. 604 9843
  2890. File
  2891. Open
  2892.  
  2893. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
  2894. MD5: d4dc9df19bcb162fe81194e9d5ad3a33
  2895. SHA1: 6eca36042a9eccef37b9d0db15550377b40243b8
  2896. 604 9843
  2897. File
  2898. Close
  2899.  
  2900. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
  2901. MD5: bf42aecd830042694bb57d15e42a6aef
  2902. SHA1: 5e6f30b3f7688358a59ba0d944680fea3740499a
  2903. 604 9856
  2904. File
  2905. Rename
  2906.  
  2907. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
  2908. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\H46UnhdE0tMJ8VOrybgp48X6NDRw2DQTU46EF99Ms1
  2909. sNoeWyNhSBLmvZLa83PmAV.7A2F0ADB1B90B147DABB.no_more_ransom
  2910. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2911. MD5: bf42aecd830042694bb57d15e42a6aef
  2912. SHA1: 5e6f30b3f7688358a59ba0d944680fea3740499a
  2913. 604 9856
  2914. File
  2915. Open
  2916.  
  2917. C:\ProgramData\System32\xfs
  2918. MD5: 63c80283c4e2f69c8a70a5f9e8ab395f
  2919. SHA1: bbb0fb6287db67eed652409a40df563edb241c24
  2920. 604 5016
  2921. File
  2922. Open
  2923.  
  2924. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
  2925. 604 9148
  2926. File
  2927. Close
  2928.  
  2929. C:\ProgramData\System32\xfs
  2930. MD5: d23451717faef006838316174ef64585
  2931. SHA1: f15e966f3e6ee81bedbc4d045060640becc2ecc7
  2932. 604 5216
  2933. File
  2934. Hide
  2935.  
  2936. C:\ProgramData\System32\xfs
  2937. MD5: d23451717faef006838316174ef64585
  2938. SHA1: f15e966f3e6ee81bedbc4d045060640becc2ecc7
  2939. 604 5216
  2940. File
  2941. Close
  2942.  
  2943. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
  2944. MD5: baac8853d55a81b675a91babc6e30e12
  2945. SHA1: ef93db41dab7bca35fa3b602f6c06be9efc81c4c
  2946. 604 9532
  2947. File
  2948. Open
  2949.  
  2950. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
  2951. MD5: baac8853d55a81b675a91babc6e30e12
  2952. SHA1: ef93db41dab7bca35fa3b602f6c06be9efc81c4c
  2953. 604 9532
  2954. File
  2955. Close
  2956.  
  2957. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
  2958. MD5: 6a3ab23d1631917486509bf382236df8
  2959. SHA1: 2b0cde1c97178151c690d406f38cb2ce26e113eb
  2960. 604 9536
  2961. File
  2962. Rename
  2963.  
  2964. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
  2965. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\qq9O1JbBBBi477CMcrMndJT08n4RkwqJrJUCm7jCHs
  2966. V4yowBrvobSRgaTHqvJtBi.7A2F0ADB1B90B147DABB.no_more_ransom
  2967. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  2968. MD5: 6a3ab23d1631917486509bf382236df8
  2969. SHA1: 2b0cde1c97178151c690d406f38cb2ce26e113eb
  2970. 604 9536
  2971. File
  2972. Open
  2973.  
  2974. C:\ProgramData\System32\xfs
  2975. MD5: d23451717faef006838316174ef64585
  2976. SHA1: f15e966f3e6ee81bedbc4d045060640becc2ecc7
  2977. 604 5216
  2978. File
  2979. Close
  2980.  
  2981. C:\ProgramData\System32\xfs
  2982. MD5: 8541dcaf4a469f6f6a3bc60a77dc1374
  2983. SHA1: c8723053425af261fbef70151fbb6841d3580faa
  2984. 604 5420
  2985. File
  2986. Open
  2987.  
  2988. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
  2989. 604 6520
  2990. File
  2991. Hide
  2992.  
  2993. C:\ProgramData\System32\xfs
  2994. MD5: 8541dcaf4a469f6f6a3bc60a77dc1374
  2995. SHA1: c8723053425af261fbef70151fbb6841d3580faa
  2996. 604 5420
  2997. File
  2998. Close
  2999.  
  3000. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
  3001. MD5: 9f891b8321615ba959ccef8720eb0e73
  3002. SHA1: 0ac22f087d75b1332cf3fbdba8266c3e45825092
  3003. 604 6904
  3004. File
  3005. Open
  3006.  
  3007. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
  3008. MD5: 9f891b8321615ba959ccef8720eb0e73
  3009. SHA1: 0ac22f087d75b1332cf3fbdba8266c3e45825092
  3010. 604 6904
  3011. File
  3012. Close
  3013.  
  3014. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
  3015. MD5: f0fd7dfaeb600ddeb3272092e8485ade
  3016. SHA1: 13a19b7135d899b5407d95f44f21d8b1246771ae
  3017. 604 6912
  3018. File
  3019. Rename
  3020.  
  3021. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
  3022. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\f6l1wLbDDtkSyWk+7jVhLan3rgCgD98dlFE+3z9oI6
  3023. ut+QMa2-g-efQH+FJcC5WT.7A2F0ADB1B90B147DABB.no_more_ransom
  3024. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3025. MD5: f0fd7dfaeb600ddeb3272092e8485ade
  3026. SHA1: 13a19b7135d899b5407d95f44f21d8b1246771ae
  3027. 604 6912
  3028. File
  3029. Open
  3030.  
  3031. C:\ProgramData\System32\xfs
  3032. MD5: 8541dcaf4a469f6f6a3bc60a77dc1374
  3033. SHA1: c8723053425af261fbef70151fbb6841d3580faa
  3034. 604 5420
  3035. File
  3036. Open
  3037.  
  3038. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
  3039. 604 5164
  3040. File
  3041. Close
  3042.  
  3043. C:\ProgramData\System32\xfs
  3044. MD5: 72464befa235d477254864a3078174ea
  3045. SHA1: 6213b1233bab057d23ef7b78b1f43c7855df9a21
  3046. 604 5620
  3047. File
  3048. Hide
  3049.  
  3050. C:\ProgramData\System32\xfs
  3051. MD5: 72464befa235d477254864a3078174ea
  3052. SHA1: 6213b1233bab057d23ef7b78b1f43c7855df9a21
  3053. 604 5620
  3054. File
  3055. Close
  3056.  
  3057. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
  3058. MD5: 2bee511cffad099ab400d42afcd1c53e
  3059. SHA1: f90ad767bd205b099f08c79640d1e815a74293ee
  3060. 604 5548
  3061. File
  3062. Open
  3063.  
  3064. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
  3065. MD5: 2bee511cffad099ab400d42afcd1c53e
  3066. SHA1: f90ad767bd205b099f08c79640d1e815a74293ee
  3067. 604 5548
  3068. File
  3069. Close
  3070.  
  3071. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
  3072. MD5: 7fbd801070f1f60ca4e42a6ffd06dbcd
  3073. SHA1: 26a46620bf2c29e94584d5ae565dea6c2560ff0b
  3074. 604 5552
  3075. File
  3076. Rename
  3077.  
  3078. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
  3079. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\x5bCKfHJlECvbho1SRjDUX5bUm+g1BExr0WncGPIBj
  3080. tCe9Whr4Jsop6XtF9HQvBv.7A2F0ADB1B90B147DABB.no_more_ransom
  3081. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3082. MD5: 7fbd801070f1f60ca4e42a6ffd06dbcd
  3083. SHA1: 26a46620bf2c29e94584d5ae565dea6c2560ff0b
  3084. 604 5552
  3085. File
  3086. Open
  3087.  
  3088. C:\ProgramData\System32\xfs
  3089. MD5: 72464befa235d477254864a3078174ea
  3090. SHA1: 6213b1233bab057d23ef7b78b1f43c7855df9a21
  3091. 604 5620
  3092. File
  3093. Open
  3094.  
  3095. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
  3096. 604 6497
  3097. File
  3098. Close
  3099.  
  3100. C:\ProgramData\System32\xfs
  3101. MD5: d55fdaddead04ef4b8126cb90431dffa
  3102. SHA1: a2eb62311b84e2aa05d2157562a934328aacb650
  3103. 604 5820
  3104. File
  3105. Hide
  3106.  
  3107. C:\ProgramData\System32\xfs
  3108. MD5: d55fdaddead04ef4b8126cb90431dffa
  3109. SHA1: a2eb62311b84e2aa05d2157562a934328aacb650
  3110. 604 5820
  3111. File
  3112. Close
  3113.  
  3114. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
  3115. MD5: b43a4c62b3978cb863cbc586fff2ca07
  3116. SHA1: 15ba48fc91de2ebd10e71c999c7f72c9b339dc03
  3117. 604 6881
  3118. File
  3119. Open
  3120.  
  3121. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
  3122. MD5: b43a4c62b3978cb863cbc586fff2ca07
  3123. SHA1: 15ba48fc91de2ebd10e71c999c7f72c9b339dc03
  3124. 604 6881
  3125. File
  3126. Close
  3127.  
  3128. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
  3129. MD5: 70721dd35b4cc705d1d01d9a741b97ab
  3130. SHA1: 8392432d4985e2ac259f8e2d4f41552821c4c999
  3131. 604 6896
  3132. File
  3133. Rename
  3134.  
  3135. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
  3136. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\vQPhHe23jv4OrMOzOnLSUGP6ZBVmGKon9GD1pB080G
  3137. o=.7A2F0ADB1B90B147DABB.no_more_ransom
  3138. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3139. MD5: 70721dd35b4cc705d1d01d9a741b97ab
  3140. SHA1: 8392432d4985e2ac259f8e2d4f41552821c4c999
  3141. 604 6896
  3142. File
  3143. Open
  3144.  
  3145. C:\ProgramData\System32\xfs
  3146. MD5: d55fdaddead04ef4b8126cb90431dffa
  3147. SHA1: a2eb62311b84e2aa05d2157562a934328aacb650
  3148. 604 5820
  3149. File
  3150. Open
  3151.  
  3152. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
  3153. 604 4818
  3154. File
  3155. Close
  3156.  
  3157. C:\ProgramData\System32\xfs
  3158. MD5: f40c6f323dda67468533dac61b7fd4ca
  3159. SHA1: d385e46a489e1e8c074d809c8836da960cf41620
  3160. 604 6004
  3161. File
  3162. Hide
  3163.  
  3164. C:\ProgramData\System32\xfs
  3165. MD5: f40c6f323dda67468533dac61b7fd4ca
  3166. SHA1: d385e46a489e1e8c074d809c8836da960cf41620
  3167. 604 6004
  3168. File
  3169. Close
  3170.  
  3171. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
  3172. MD5: a04f7ac6ddac2afaffe33cfc93ebb7aa
  3173. SHA1: 18b8721ba03e848e9f9f8331230a2ecfebbfa857
  3174. 604 5202
  3175. File
  3176. Open
  3177.  
  3178. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
  3179. MD5: a04f7ac6ddac2afaffe33cfc93ebb7aa
  3180. SHA1: 18b8721ba03e848e9f9f8331230a2ecfebbfa857
  3181. 604 5202
  3182. File
  3183. Close
  3184.  
  3185. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
  3186. MD5: 8acf1f77304c16700ac42eee28991732
  3187. SHA1: 66d619ca8f970cd3e669147d2aa9cc4c6bebf3df
  3188. 604 5216
  3189. File
  3190. Rename
  3191.  
  3192. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
  3193. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\UQiEmkNdPK+Y7yTLeh5GHA==.7A2F0ADB1B90B147D
  3194. ABB.no_more_ransom
  3195. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3196. MD5: 8acf1f77304c16700ac42eee28991732
  3197. SHA1: 66d619ca8f970cd3e669147d2aa9cc4c6bebf3df
  3198. 604 5216
  3199. File
  3200. Open
  3201.  
  3202. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
  3203. 604 6708
  3204. File
  3205. Open
  3206.  
  3207. C:\ProgramData\System32\xfs
  3208. MD5: f40c6f323dda67468533dac61b7fd4ca
  3209. SHA1: d385e46a489e1e8c074d809c8836da960cf41620
  3210. 604 6004
  3211. File
  3212. Close
  3213.  
  3214. C:\ProgramData\System32\xfs
  3215. MD5: c1169d8afe6832b1038374ff7eb154ec
  3216. SHA1: 6ea322769ba990412d9e4aaf945533b58958e494
  3217. 604 6180
  3218. File
  3219. Hide
  3220.  
  3221. C:\ProgramData\System32\xfs
  3222. MD5: c1169d8afe6832b1038374ff7eb154ec
  3223. SHA1: 6ea322769ba990412d9e4aaf945533b58958e494
  3224. 604 6180
  3225. File
  3226. Close
  3227.  
  3228. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
  3229. MD5: 9b59c2caadfd97c3091240952f84fbac
  3230. SHA1: c269fbbca452fdcdcbc94d4335a558bfa934b242
  3231. 604 7092
  3232. File
  3233. Open
  3234.  
  3235. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
  3236. MD5: 9b59c2caadfd97c3091240952f84fbac
  3237. SHA1: c269fbbca452fdcdcbc94d4335a558bfa934b242
  3238. 604 7092
  3239. File
  3240. Close
  3241.  
  3242. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
  3243. MD5: ef43c1c7263ba6927a55e9fd7f799200
  3244. SHA1: 2b5b589dec02ef09d3362568368292f6f776ab14
  3245. 604 7104
  3246. File
  3247. Rename
  3248.  
  3249. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
  3250. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\XKJA+KWgahf1pps-wS-VsEMJLs3jJjuDBcs4mgBexP
  3251. k=.7A2F0ADB1B90B147DABB.no_more_ransom
  3252. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3253. MD5: ef43c1c7263ba6927a55e9fd7f799200
  3254. SHA1: 2b5b589dec02ef09d3362568368292f6f776ab14
  3255. 604 7104
  3256. File
  3257. Open
  3258.  
  3259. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
  3260. 604 9992
  3261. File
  3262. Open
  3263.  
  3264. C:\ProgramData\System32\xfs
  3265. MD5: c1169d8afe6832b1038374ff7eb154ec
  3266. SHA1: 6ea322769ba990412d9e4aaf945533b58958e494
  3267. 604 6180
  3268. File
  3269. Close
  3270.  
  3271. C:\ProgramData\System32\xfs
  3272. MD5: 52605d341648947ba3d2e3138050a5bc
  3273. SHA1: c82d5d8939d862a2c1d417dff074655e83f0f78d
  3274. 604 6374
  3275. File
  3276. Hide
  3277.  
  3278. C:\ProgramData\System32\xfs
  3279. MD5: 52605d341648947ba3d2e3138050a5bc
  3280. SHA1: c82d5d8939d862a2c1d417dff074655e83f0f78d
  3281. 604 6374
  3282. File
  3283. Close
  3284.  
  3285. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
  3286. MD5: 14e93db48a76535d4f4555125c75b998
  3287. SHA1: 05f7325e041e17ef58d0f71c0a0d0055087ab534
  3288. 604 10376
  3289. File
  3290. Open
  3291.  
  3292. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
  3293. MD5: 14e93db48a76535d4f4555125c75b998
  3294. SHA1: 05f7325e041e17ef58d0f71c0a0d0055087ab534
  3295. 604 10376
  3296. File
  3297. Close
  3298.  
  3299. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
  3300. MD5: 55334f6dfb6a6158621624df2217a811
  3301. SHA1: f5906e0291e9d60a2e2170b3e146f4d1727e736a
  3302. 604 10384
  3303. File
  3304. Rename
  3305.  
  3306. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
  3307. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Hfh9x-CSbyN6PMY6UWRb7hBZVray8M+sKd4hBen+vy
  3308. w=.7A2F0ADB1B90B147DABB.no_more_ransom
  3309. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3310. MD5: 55334f6dfb6a6158621624df2217a811
  3311. SHA1: f5906e0291e9d60a2e2170b3e146f4d1727e736a
  3312. 604 10384
  3313. File
  3314. Open
  3315.  
  3316. C:\ProgramData\System32\xfs
  3317. MD5: 52605d341648947ba3d2e3138050a5bc
  3318. SHA1: c82d5d8939d862a2c1d417dff074655e83f0f78d
  3319. 604 6374
  3320. File
  3321. Open
  3322.  
  3323. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
  3324. 604 5441
  3325. File
  3326. Close
  3327.  
  3328. C:\ProgramData\System32\xfs
  3329. MD5: 31371f9d1d0353e7662912edccbb2ab5
  3330. SHA1: 16eab066d51c8576938529d7a25ab7c7173a13f0
  3331. 604 6558
  3332. File
  3333. Hide
  3334.  
  3335. C:\ProgramData\System32\xfs
  3336. MD5: 31371f9d1d0353e7662912edccbb2ab5
  3337. SHA1: 16eab066d51c8576938529d7a25ab7c7173a13f0
  3338. 604 6558
  3339. File
  3340. Close
  3341.  
  3342. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
  3343. MD5: 05ed9317068f6637695e1a8134f11245
  3344. SHA1: 12fd77d03997a9c9d1053b9fa40656320a11d125
  3345. 604 5825
  3346. File
  3347. Open
  3348.  
  3349. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
  3350. MD5: 05ed9317068f6637695e1a8134f11245
  3351. SHA1: 12fd77d03997a9c9d1053b9fa40656320a11d125
  3352. 604 5825
  3353. File
  3354. Close
  3355.  
  3356. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
  3357. MD5: 983d060830be5f091c4e6d79f8ec1332
  3358. SHA1: f8c74b16cdfccbe5a6091660f53bf54c8c93b2c0
  3359. 604 5840
  3360. File
  3361. Rename
  3362.  
  3363. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
  3364. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\4lro6UrnZnAnolbzLAkyFW1ppECWPHwwcDV2O3wYYE
  3365. U=.7A2F0ADB1B90B147DABB.no_more_ransom
  3366. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3367. MD5: 983d060830be5f091c4e6d79f8ec1332
  3368. SHA1: f8c74b16cdfccbe5a6091660f53bf54c8c93b2c0
  3369. 604 5840
  3370. File
  3371. Open
  3372.  
  3373. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
  3374. 604 2672
  3375. File
  3376. Open
  3377.  
  3378. C:\ProgramData\System32\xfs
  3379. MD5: 31371f9d1d0353e7662912edccbb2ab5
  3380. SHA1: 16eab066d51c8576938529d7a25ab7c7173a13f0
  3381. 604 6558
  3382. File
  3383. Close
  3384.  
  3385. C:\ProgramData\System32\xfs
  3386. MD5: 6fda7aaae38bbe8b64e7f6b6df0d9f0e
  3387. SHA1: 11e23cc41846a68218671813adefee86fd73de53
  3388. 604 6742
  3389. File
  3390. Hide
  3391.  
  3392. C:\ProgramData\System32\xfs
  3393. MD5: 6fda7aaae38bbe8b64e7f6b6df0d9f0e
  3394. SHA1: 11e23cc41846a68218671813adefee86fd73de53
  3395. 604 6742
  3396. File
  3397. Close
  3398.  
  3399. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
  3400. MD5: 992326804b1f5642c19dde09dafd6c6a
  3401. SHA1: 3f3ca523cc7ed06e9d8b86ee7fe0fcee394ff460
  3402. 604 3056
  3403. File
  3404. Open
  3405.  
  3406. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
  3407. MD5: 992326804b1f5642c19dde09dafd6c6a
  3408. SHA1: 3f3ca523cc7ed06e9d8b86ee7fe0fcee394ff460
  3409. 604 3056
  3410. File
  3411. Close
  3412.  
  3413. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
  3414. MD5: 71a23bca50f9c9b1468cca933c53ff69
  3415. SHA1: f312cf35a0a210a07e303d5b180af363686ec854
  3416. 604 3056
  3417. File
  3418. Rename
  3419.  
  3420. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
  3421. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\ZvqgyWIl0jbUDuzksy+jC178cqCOsqdRf2u2Xosl0d
  3422. o=.7A2F0ADB1B90B147DABB.no_more_ransom
  3423. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3424. MD5: 71a23bca50f9c9b1468cca933c53ff69
  3425. SHA1: f312cf35a0a210a07e303d5b180af363686ec854
  3426. 604 3056
  3427. File
  3428. Open
  3429.  
  3430. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
  3431. 604 6216
  3432. File
  3433. Open
  3434.  
  3435. C:\ProgramData\System32\xfs
  3436. MD5: 6fda7aaae38bbe8b64e7f6b6df0d9f0e
  3437. SHA1: 11e23cc41846a68218671813adefee86fd73de53
  3438. 604 6742
  3439. File
  3440. Close
  3441.  
  3442. C:\ProgramData\System32\xfs
  3443. MD5: 61b66310b775141e5c44def55fa3bd63
  3444. SHA1: 92bacef09b0b05f531b6a544b70f0734fbebbada
  3445. 604 6932
  3446. File
  3447. Hide
  3448.  
  3449. C:\ProgramData\System32\xfs
  3450. MD5: 61b66310b775141e5c44def55fa3bd63
  3451. SHA1: 92bacef09b0b05f531b6a544b70f0734fbebbada
  3452. 604 6932
  3453. File
  3454. Close
  3455.  
  3456. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
  3457. MD5: 70d583231166467f51569c2ca697cf90
  3458. SHA1: 1ec8052ee2f507fb96b14c5cafcb742fd918ffde
  3459. 604 6600
  3460. File
  3461. Open
  3462.  
  3463. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
  3464. MD5: 70d583231166467f51569c2ca697cf90
  3465. SHA1: 1ec8052ee2f507fb96b14c5cafcb742fd918ffde
  3466. 604 6600
  3467. File
  3468. Close
  3469.  
  3470. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
  3471. MD5: 80681a7e343adba3a1f4d3b6bb2159a3
  3472. SHA1: 42898e7d024b0f07d0655e5b625aaac18893efb3
  3473. 604 6608
  3474. File
  3475. Rename
  3476.  
  3477. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
  3478. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\J3NeZOq40KJ8nvVvWQQi7xczlGOlh87oOIDZIiQBN+
  3479. A=.7A2F0ADB1B90B147DABB.no_more_ransom
  3480. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3481. MD5: 80681a7e343adba3a1f4d3b6bb2159a3
  3482. SHA1: 42898e7d024b0f07d0655e5b625aaac18893efb3
  3483. 604 6608
  3484. File
  3485. Open
  3486.  
  3487. C:\ProgramData\System32\xfs
  3488. MD5: 61b66310b775141e5c44def55fa3bd63
  3489. SHA1: 92bacef09b0b05f531b6a544b70f0734fbebbada
  3490. 604 6932
  3491. File
  3492. Open
  3493.  
  3494. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
  3495. 604 5389
  3496. File
  3497. Close
  3498.  
  3499. C:\ProgramData\System32\xfs
  3500. MD5: 5551c6cc065fccda0537c8a860242366
  3501. SHA1: 2575aad811581133d9c0115feb443162b5cebf89
  3502. 604 7118
  3503. File
  3504. Hide
  3505.  
  3506. C:\ProgramData\System32\xfs
  3507. MD5: 5551c6cc065fccda0537c8a860242366
  3508. SHA1: 2575aad811581133d9c0115feb443162b5cebf89
  3509. 604 7118
  3510. File
  3511. Close
  3512.  
  3513. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
  3514. MD5: 3efa2599b89557034df7bbc2ad67334e
  3515. SHA1: 383d3cefa1b40503f571f0f74b258b53f3c7f5d8
  3516. 604 5773
  3517. File
  3518. Open
  3519.  
  3520. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
  3521. MD5: 3efa2599b89557034df7bbc2ad67334e
  3522. SHA1: 383d3cefa1b40503f571f0f74b258b53f3c7f5d8
  3523. 604 5773
  3524. File
  3525. Close
  3526.  
  3527. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
  3528. MD5: 57a03d4dcbbbc3f58f1d3ee1f8cd54d3
  3529. SHA1: 3a86aba5a2f5367c3dde4bc5d8e426130796db2e
  3530. 604 5776
  3531. File
  3532. Rename
  3533.  
  3534. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
  3535. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\VQRd7A5-N889jdlL5b-UsjKEivUNG+75wk7ro12yJR
  3536. E=.7A2F0ADB1B90B147DABB.no_more_ransom
  3537. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3538. MD5: 57a03d4dcbbbc3f58f1d3ee1f8cd54d3
  3539. SHA1: 3a86aba5a2f5367c3dde4bc5d8e426130796db2e
  3540. 604 5776
  3541. File
  3542. Open
  3543.  
  3544. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
  3545. 604 7451
  3546. File
  3547. Open
  3548.  
  3549. C:\ProgramData\System32\xfs
  3550. MD5: 5551c6cc065fccda0537c8a860242366
  3551. SHA1: 2575aad811581133d9c0115feb443162b5cebf89
  3552. 604 7118
  3553. File
  3554. Close
  3555.  
  3556. C:\ProgramData\System32\xfs
  3557. MD5: 0b5d08b76fad8990e73062bd427fb693
  3558. SHA1: fab075c476382fd9b3c6b99b781d0a136654b9d5
  3559. 604 7304
  3560. File
  3561. Hide
  3562.  
  3563. C:\ProgramData\System32\xfs
  3564. MD5: 0b5d08b76fad8990e73062bd427fb693
  3565. SHA1: fab075c476382fd9b3c6b99b781d0a136654b9d5
  3566. 604 7304
  3567. File
  3568. Close
  3569.  
  3570. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
  3571. MD5: ee3531a4b09d601575a15c58d57e847d
  3572. SHA1: 6f3d39554a4b3c31819229580011af7791b5a23a
  3573. 604 7835
  3574. File
  3575. Open
  3576.  
  3577. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
  3578. MD5: ee3531a4b09d601575a15c58d57e847d
  3579. SHA1: 6f3d39554a4b3c31819229580011af7791b5a23a
  3580. 604 7835
  3581. File
  3582. Close
  3583.  
  3584. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
  3585. MD5: 63558ee89b3508b372606ab11effaebf
  3586. SHA1: be8dc13503d20303e48eb2fb170e09fe5436d41e
  3587. 604 7840
  3588. File
  3589. Rename
  3590.  
  3591. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
  3592. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\vWysMuTWJbzvctFwpl6+zCRi09aOdgrTBJM--4WXeB
  3593. g=.7A2F0ADB1B90B147DABB.no_more_ransom
  3594. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3595. MD5: 63558ee89b3508b372606ab11effaebf
  3596. SHA1: be8dc13503d20303e48eb2fb170e09fe5436d41e
  3597. 604 7840
  3598. File
  3599. Open
  3600.  
  3601. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
  3602. 604 7599
  3603. File
  3604. Open
  3605.  
  3606. C:\ProgramData\System32\xfs
  3607. MD5: 0b5d08b76fad8990e73062bd427fb693
  3608. SHA1: fab075c476382fd9b3c6b99b781d0a136654b9d5
  3609. 604 7304
  3610. File
  3611. Close
  3612.  
  3613. C:\ProgramData\System32\xfs
  3614. MD5: fb2602b04538bb74ee0edb7fb82befff
  3615. SHA1: 1a21f5a736e68a1fd6c9c27d8c3ecf39899578be
  3616. 604 7490
  3617. File
  3618. Hide
  3619.  
  3620. C:\ProgramData\System32\xfs
  3621. MD5: fb2602b04538bb74ee0edb7fb82befff
  3622. SHA1: 1a21f5a736e68a1fd6c9c27d8c3ecf39899578be
  3623. 604 7490
  3624. File
  3625. Close
  3626.  
  3627. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
  3628. MD5: cf5956d9173416127b75e7859311fa93
  3629. SHA1: 7ddea280e53186cfaa5ebf8282fb89edf3dcf25a
  3630. 604 7983
  3631. File
  3632. Open
  3633.  
  3634. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
  3635. MD5: cf5956d9173416127b75e7859311fa93
  3636. SHA1: 7ddea280e53186cfaa5ebf8282fb89edf3dcf25a
  3637. 604 7983
  3638. File
  3639. Close
  3640.  
  3641. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
  3642. MD5: df00bbb3b1705409a6d8e40b4315f50a
  3643. SHA1: d532c8f623db5e9bd4d10644958c9f214ad6e0ff
  3644. 604 7984
  3645. File
  3646. Rename
  3647.  
  3648. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
  3649. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\6OGLSO+0aLf9EnQBb4D-bz7VDRX18DOVoKrxRJt13q
  3650. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
  3651. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3652. MD5: df00bbb3b1705409a6d8e40b4315f50a
  3653. SHA1: d532c8f623db5e9bd4d10644958c9f214ad6e0ff
  3654. 604 7984
  3655. File
  3656. Open
  3657.  
  3658. C:\ProgramData\System32\xfs
  3659. MD5: fb2602b04538bb74ee0edb7fb82befff
  3660. SHA1: 1a21f5a736e68a1fd6c9c27d8c3ecf39899578be
  3661. 604 7490
  3662. File
  3663. Open
  3664.  
  3665. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
  3666. 604 8189
  3667. File
  3668. Close
  3669.  
  3670. C:\ProgramData\System32\xfs
  3671. MD5: 21fddc5464b0295dfa63b2dfa4d77e08
  3672. SHA1: 47ed35901f0c34ab1b77de9500c7fb17b20159d3
  3673. 604 7678
  3674. File
  3675. Hide
  3676.  
  3677. C:\ProgramData\System32\xfs
  3678. MD5: 21fddc5464b0295dfa63b2dfa4d77e08
  3679. SHA1: 47ed35901f0c34ab1b77de9500c7fb17b20159d3
  3680. 604 7678
  3681. File
  3682. Close
  3683.  
  3684. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
  3685. MD5: 4c1b35fb30da2f2ccf631c03159609e5
  3686. SHA1: 091318cf8b671ee293a7f7e57af2222e7c0d6435
  3687. 604 8573
  3688. File
  3689. Open
  3690.  
  3691. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
  3692. MD5: 4c1b35fb30da2f2ccf631c03159609e5
  3693. SHA1: 091318cf8b671ee293a7f7e57af2222e7c0d6435
  3694. 604 8573
  3695. File
  3696. Close
  3697.  
  3698. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
  3699. MD5: 03758ad4f7ae03bab6f7a58264806d45
  3700. SHA1: 2cda2168df20b9ade0defbd25997b0a0b5cc260c
  3701. 604 8576
  3702. File
  3703. Rename
  3704.  
  3705. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
  3706. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SCFUImbeQrm+a5tgEqrF99mfDvYTOEjO5F4WcFT99h
  3707. y2z2a560QCkD4Lsc+-Binn.7A2F0ADB1B90B147DABB.no_more_ransom
  3708. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3709. MD5: 03758ad4f7ae03bab6f7a58264806d45
  3710. SHA1: 2cda2168df20b9ade0defbd25997b0a0b5cc260c
  3711. 604 8576
  3712. File
  3713. Open
  3714.  
  3715. C:\ProgramData\System32\xfs
  3716. MD5: 21fddc5464b0295dfa63b2dfa4d77e08
  3717. SHA1: 47ed35901f0c34ab1b77de9500c7fb17b20159d3
  3718. 604 7678
  3719. File
  3720. Close
  3721.  
  3722. C:\ProgramData\System32\xfs
  3723. MD5: c5cd55f5e0bf6586e2c2251ed0cf5a66
  3724. SHA1: aa5e5e0146efb4388a922bf81c11b419b7d898c3
  3725. 604 7888
  3726. File
  3727. Hide
  3728.  
  3729. C:\ProgramData\System32\xfs
  3730. MD5: c5cd55f5e0bf6586e2c2251ed0cf5a66
  3731. SHA1: aa5e5e0146efb4388a922bf81c11b419b7d898c3
  3732. 604 7888
  3733. File
  3734. Open
  3735.  
  3736. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
  3737. 604 1506
  3738. File
  3739. Close
  3740.  
  3741. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
  3742. MD5: dd02db100c5cbcd05e0c8f79deeb7ab6
  3743. SHA1: 5dd1d1d52b96ba1a540c7d1fdcfd566116fddd21
  3744. 604 1890
  3745. File
  3746. Open
  3747.  
  3748. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
  3749. MD5: dd02db100c5cbcd05e0c8f79deeb7ab6
  3750. SHA1: 5dd1d1d52b96ba1a540c7d1fdcfd566116fddd21
  3751. 604 1890
  3752. File
  3753. Close
  3754.  
  3755. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
  3756. MD5: 96892e8263a4b83463c220fe258d9970
  3757. SHA1: 10f3f7055b112d35df88c6a42656a3d1dd0b60a7
  3758. 604 1904
  3759. File
  3760. Rename
  3761.  
  3762. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
  3763. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\WOJO7bg0rG+2Jo-WKilSxJu1ixDOmczYcC1F+FfTmn
  3764. c=.7A2F0ADB1B90B147DABB.no_more_ransom
  3765. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3766. MD5: 96892e8263a4b83463c220fe258d9970
  3767. SHA1: 10f3f7055b112d35df88c6a42656a3d1dd0b60a7
  3768. 604 1904
  3769. File
  3770. Open
  3771.  
  3772. C:\ProgramData\System32\xfs
  3773. MD5: c5cd55f5e0bf6586e2c2251ed0cf5a66
  3774. SHA1: aa5e5e0146efb4388a922bf81c11b419b7d898c3
  3775. 604 7888
  3776. File
  3777. Open
  3778.  
  3779. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
  3780. 604 7496
  3781. File
  3782. Close
  3783.  
  3784. C:\ProgramData\System32\xfs
  3785. MD5: 697e93e5eaeaa57e2a63c520a9793547
  3786. SHA1: 55093fadc2f474dfb2bb2c01ccd58d38d9eeeb98
  3787. 604 8076
  3788. File
  3789. Hide
  3790.  
  3791. C:\ProgramData\System32\xfs
  3792. MD5: 697e93e5eaeaa57e2a63c520a9793547
  3793. SHA1: 55093fadc2f474dfb2bb2c01ccd58d38d9eeeb98
  3794. 604 8076
  3795. File
  3796. Close
  3797.  
  3798. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
  3799. MD5: 7ec43407a43f6ece0f8441c51d06c0bb
  3800. SHA1: c590787ce7dd0ab9a4c922e89768ed3c3f6ae4b9
  3801. 604 7880
  3802. File
  3803. Open
  3804.  
  3805. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
  3806. MD5: 7ec43407a43f6ece0f8441c51d06c0bb
  3807. SHA1: c590787ce7dd0ab9a4c922e89768ed3c3f6ae4b9
  3808. 604 7880
  3809. File
  3810. Close
  3811.  
  3812. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
  3813. MD5: 3eb8c3db15394c3cdbe955455724eddd
  3814. SHA1: cc3f522032664a8b7f3e4ff6558806c551ff918c
  3815. 604 7888
  3816. File
  3817. Rename
  3818.  
  3819. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
  3820. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\JF4ZghmFRm5bgQhs5qv4jBYsHN8ONp55kSxrcUlPFg
  3821. 210-Q-ZWMKpRP+8K4q-U54.7A2F0ADB1B90B147DABB.no_more_ransom
  3822. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3823. MD5: 3eb8c3db15394c3cdbe955455724eddd
  3824. SHA1: cc3f522032664a8b7f3e4ff6558806c551ff918c
  3825. 604 7888
  3826. File
  3827. Open
  3828.  
  3829. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
  3830. 604 6183
  3831. File
  3832. Open
  3833.  
  3834. C:\ProgramData\System32\xfs
  3835. MD5: 697e93e5eaeaa57e2a63c520a9793547
  3836. SHA1: 55093fadc2f474dfb2bb2c01ccd58d38d9eeeb98
  3837. 604 8076
  3838. File
  3839. Close
  3840.  
  3841. C:\ProgramData\System32\xfs
  3842. MD5: 10a6bd4631820dc149fc442007dbbfc5
  3843. SHA1: aa7c4579f1ca52ba0750c16cb7fb9013bfa20dfb
  3844. 604 8272
  3845. File
  3846. Hide
  3847.  
  3848. C:\ProgramData\System32\xfs
  3849. MD5: 10a6bd4631820dc149fc442007dbbfc5
  3850. SHA1: aa7c4579f1ca52ba0750c16cb7fb9013bfa20dfb
  3851. 604 8272
  3852. File
  3853. Close
  3854.  
  3855. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
  3856. MD5: e56804a04b35ff509717af7f75eebe33
  3857. SHA1: e1fde1b10744bd2b3896233eda33288d879e8128
  3858. 604 6567
  3859. File
  3860. Open
  3861.  
  3862. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
  3863. MD5: e56804a04b35ff509717af7f75eebe33
  3864. SHA1: e1fde1b10744bd2b3896233eda33288d879e8128
  3865. 604 6567
  3866. File
  3867. Close
  3868.  
  3869. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
  3870. MD5: 93d216fe0ffa0ef57d1c3b7eab1325ae
  3871. SHA1: 94dd761e6867496c7f7d0d77bb4db6fbee062336
  3872. 604 6576
  3873. File
  3874. Rename
  3875.  
  3876. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
  3877. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\-OUJMJbiqB1OlpA5vP+HG2UuAyVqp6+bjKfa2tx3-q
  3878. I=.7A2F0ADB1B90B147DABB.no_more_ransom
  3879. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3880. MD5: 93d216fe0ffa0ef57d1c3b7eab1325ae
  3881. SHA1: 94dd761e6867496c7f7d0d77bb4db6fbee062336
  3882. 604 6576
  3883. File
  3884. Open
  3885.  
  3886. C:\ProgramData\System32\xfs
  3887. MD5: 10a6bd4631820dc149fc442007dbbfc5
  3888. SHA1: aa7c4579f1ca52ba0750c16cb7fb9013bfa20dfb
  3889. 604 8272
  3890. File
  3891. Close
  3892.  
  3893. C:\ProgramData\System32\xfs
  3894. MD5: c0e1a339edd36fc67cd43d6a086b6534
  3895. SHA1: 84aca458ae2189ed3cd71fe9ab0f109cc990dbfc
  3896. 604 8466
  3897. File
  3898. Hide
  3899.  
  3900. C:\ProgramData\System32\xfs
  3901. MD5: c0e1a339edd36fc67cd43d6a086b6534
  3902. SHA1: 84aca458ae2189ed3cd71fe9ab0f109cc990dbfc
  3903. 604 8466
  3904. File
  3905. Open
  3906.  
  3907. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
  3908. 604 5800
  3909. File
  3910. Close
  3911.  
  3912. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
  3913. MD5: f01d6ebe9626aa9963df89d1e13af284
  3914. SHA1: 57bc62dee26d11c6855b0bb273077ea7af122b86
  3915. 604 6184
  3916. File
  3917. Open
  3918.  
  3919. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
  3920. MD5: f01d6ebe9626aa9963df89d1e13af284
  3921. SHA1: 57bc62dee26d11c6855b0bb273077ea7af122b86
  3922. 604 6184
  3923. File
  3924. Close
  3925.  
  3926. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
  3927. MD5: 8fcdc7a38dd19344caefebd702ebd6c9
  3928. SHA1: d2ec0685b3370c6cf4b2c7aaa5960d2c51a47555
  3929. 604 6192
  3930. File
  3931. Rename
  3932.  
  3933. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
  3934. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\sXqt18Ul5tHMofWOcldXtkL8QXT+S0PEFQ4NhjRuI-
  3935. nWH5Wz4mgBUcv5B2F4iFm9.7A2F0ADB1B90B147DABB.no_more_ransom
  3936. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3937. MD5: 8fcdc7a38dd19344caefebd702ebd6c9
  3938. SHA1: d2ec0685b3370c6cf4b2c7aaa5960d2c51a47555
  3939. 604 6192
  3940. File
  3941. Open
  3942.  
  3943. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
  3944. 604 5951
  3945. File
  3946. Open
  3947.  
  3948. C:\ProgramData\System32\xfs
  3949. MD5: c0e1a339edd36fc67cd43d6a086b6534
  3950. SHA1: 84aca458ae2189ed3cd71fe9ab0f109cc990dbfc
  3951. 604 8466
  3952. File
  3953. Close
  3954.  
  3955. C:\ProgramData\System32\xfs
  3956. MD5: 3dc1a077836de0c70907d4a89c44ce01
  3957. SHA1: c047af193c183163b991d485615e6f717a172448
  3958. 604 8668
  3959. File
  3960. Hide
  3961.  
  3962. C:\ProgramData\System32\xfs
  3963. MD5: 3dc1a077836de0c70907d4a89c44ce01
  3964. SHA1: c047af193c183163b991d485615e6f717a172448
  3965. 604 8668
  3966. File
  3967. Close
  3968.  
  3969. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
  3970. MD5: ffcd80631c51cc6b489c238ef7761d1d
  3971. SHA1: 4142df7c05522953e2a1df961f97628034fab8e3
  3972. 604 6335
  3973. File
  3974. Open
  3975.  
  3976. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
  3977. MD5: ffcd80631c51cc6b489c238ef7761d1d
  3978. SHA1: 4142df7c05522953e2a1df961f97628034fab8e3
  3979. 604 6335
  3980. File
  3981. Close
  3982.  
  3983. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
  3984. MD5: d67107ac114a8c4e9f9240b06448c9ce
  3985. SHA1: 4cf276cc1d71e9329c39d086aaaffb38d9d2e4bc
  3986. 604 6336
  3987. File
  3988. Rename
  3989.  
  3990. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
  3991. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\W3MxEkwumT6qf1PQYY7e804NK3+okMp7aOEy2172Mp
  3992. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
  3993. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  3994. MD5: d67107ac114a8c4e9f9240b06448c9ce
  3995. SHA1: 4cf276cc1d71e9329c39d086aaaffb38d9d2e4bc
  3996. 604 6336
  3997. File
  3998. Open
  3999.  
  4000. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
  4001. 604 6249
  4002. File
  4003. Open
  4004.  
  4005. C:\ProgramData\System32\xfs
  4006. MD5: 3dc1a077836de0c70907d4a89c44ce01
  4007. SHA1: c047af193c183163b991d485615e6f717a172448
  4008. 604 8668
  4009. File
  4010. Close
  4011.  
  4012. C:\ProgramData\System32\xfs
  4013. MD5: 981003f2d780d7d6208709a805bd33e0
  4014. SHA1: b900d15729abca028fe4fd88c6d4b3151dac9370
  4015. 604 8854
  4016. File
  4017. Hide
  4018.  
  4019. C:\ProgramData\System32\xfs
  4020. MD5: 981003f2d780d7d6208709a805bd33e0
  4021. SHA1: b900d15729abca028fe4fd88c6d4b3151dac9370
  4022. 604 8854
  4023. File
  4024. Close
  4025.  
  4026. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
  4027. MD5: a5b6b5270ff62d9a1f45bfebd4e22a81
  4028. SHA1: 1efd65a0a28bb0da73960b423fb03c6950005598
  4029. 604 6633
  4030. File
  4031. Open
  4032.  
  4033. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
  4034. MD5: a5b6b5270ff62d9a1f45bfebd4e22a81
  4035. SHA1: 1efd65a0a28bb0da73960b423fb03c6950005598
  4036. 604 6633
  4037. File
  4038. Close
  4039.  
  4040. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
  4041. MD5: 60a4027f7cfe86e41eb3170eaf6df55e
  4042. SHA1: 4fc33bc6fce98cfc7b4e25e0b82436a94cfa2f8d
  4043. 604 6640
  4044. File
  4045. Rename
  4046.  
  4047. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
  4048. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\RGr8JRRhObk5OJvjVTJRsg==.7A2F0ADB1B90B147D
  4049. ABB.no_more_ransom
  4050. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4051. MD5: 60a4027f7cfe86e41eb3170eaf6df55e
  4052. SHA1: 4fc33bc6fce98cfc7b4e25e0b82436a94cfa2f8d
  4053. 604 6640
  4054. File
  4055. Open
  4056.  
  4057. C:\ProgramData\System32\xfs
  4058. MD5: 981003f2d780d7d6208709a805bd33e0
  4059. SHA1: b900d15729abca028fe4fd88c6d4b3151dac9370
  4060. 604 8854
  4061. File
  4062. Open
  4063.  
  4064. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
  4065. 604 4509
  4066. File
  4067. Close
  4068.  
  4069. C:\ProgramData\System32\xfs
  4070. MD5: 8f53d63be4b3e81743836fd4d30546ad
  4071. SHA1: a645e7d47e7ecdc5132e994a77546508f5c2f838
  4072. 604 9028
  4073. File
  4074. Hide
  4075.  
  4076. C:\ProgramData\System32\xfs
  4077. MD5: 8f53d63be4b3e81743836fd4d30546ad
  4078. SHA1: a645e7d47e7ecdc5132e994a77546508f5c2f838
  4079. 604 9028
  4080. File
  4081. Close
  4082.  
  4083. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
  4084. MD5: 0074d823e62804fe91888b080e0e1160
  4085. SHA1: 23cade50f29d61a3e1cba20959b906f10e6ede73
  4086. 604 4893
  4087. File
  4088. Open
  4089.  
  4090. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
  4091. MD5: 0074d823e62804fe91888b080e0e1160
  4092. SHA1: 23cade50f29d61a3e1cba20959b906f10e6ede73
  4093. 604 4893
  4094. File
  4095. Close
  4096.  
  4097. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
  4098. MD5: 56c5041dd4d279f53897c0c04aaa9814
  4099. SHA1: e83b9393ac9288d3129812c84f7a0098c436377f
  4100. 604 4896
  4101. File
  4102. Rename
  4103.  
  4104. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
  4105. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\lJqDbyi7QRnMH3ERqljrJwlmUnPhzk7ocQbHB2qjTb
  4106. 0=.7A2F0ADB1B90B147DABB.no_more_ransom
  4107. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4108. MD5: 56c5041dd4d279f53897c0c04aaa9814
  4109. SHA1: e83b9393ac9288d3129812c84f7a0098c436377f
  4110. 604 4896
  4111. File
  4112. Open
  4113.  
  4114. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
  4115. 604 4608
  4116. File
  4117. Open
  4118.  
  4119. C:\ProgramData\System32\xfs
  4120. MD5: 8f53d63be4b3e81743836fd4d30546ad
  4121. SHA1: a645e7d47e7ecdc5132e994a77546508f5c2f838
  4122. 604 9028
  4123. File
  4124. Close
  4125.  
  4126. C:\ProgramData\System32\xfs
  4127. MD5: a13828ac34fe0323b30a0eee1d51d518
  4128. SHA1: e78e1a943bbb629d5671f413168a987e004622a3
  4129. 604 9210
  4130. File
  4131. Hide
  4132.  
  4133. C:\ProgramData\System32\xfs
  4134. MD5: a13828ac34fe0323b30a0eee1d51d518
  4135. SHA1: e78e1a943bbb629d5671f413168a987e004622a3
  4136. 604 9210
  4137. File
  4138. Close
  4139.  
  4140. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
  4141. MD5: deaac5a83902073a874a0036e8d97c25
  4142. SHA1: 2d034360d6e3a55bf2a0fe52e15b7fef2bbb9740
  4143. 604 4992
  4144. File
  4145. Open
  4146.  
  4147. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
  4148. MD5: deaac5a83902073a874a0036e8d97c25
  4149. SHA1: 2d034360d6e3a55bf2a0fe52e15b7fef2bbb9740
  4150. 604 4992
  4151. File
  4152. Close
  4153.  
  4154. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
  4155. MD5: 9a23dcb320791fca36ece081a5e5c41e
  4156. SHA1: 602f70a0fcd2ce4e3714cfc3018ff348875a0dd3
  4157. 604 4992
  4158. File
  4159. Rename
  4160.  
  4161. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
  4162. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\K4BaNvbw9uapwphCowjUHQ==.7A2F0ADB1B90B147D
  4163. ABB.no_more_ransom
  4164. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4165. MD5: 9a23dcb320791fca36ece081a5e5c41e
  4166. SHA1: 602f70a0fcd2ce4e3714cfc3018ff348875a0dd3
  4167. 604 4992
  4168. File
  4169. Open
  4170.  
  4171. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
  4172. 604 4653
  4173. File
  4174. Open
  4175.  
  4176. C:\ProgramData\System32\xfs
  4177. MD5: a13828ac34fe0323b30a0eee1d51d518
  4178. SHA1: e78e1a943bbb629d5671f413168a987e004622a3
  4179. 604 9210
  4180. File
  4181. Close
  4182.  
  4183. C:\ProgramData\System32\xfs
  4184. MD5: cf6a9bcaa4cc789e3f7c98ec750fbf59
  4185. SHA1: 05f2c37eaee472727e5dd1de6a61cb16ab05bd6b
  4186. 604 9388
  4187. File
  4188. Hide
  4189.  
  4190. C:\ProgramData\System32\xfs
  4191. MD5: cf6a9bcaa4cc789e3f7c98ec750fbf59
  4192. SHA1: 05f2c37eaee472727e5dd1de6a61cb16ab05bd6b
  4193. 604 9388
  4194. File
  4195. Close
  4196.  
  4197. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
  4198. MD5: 68564e9e065bd0e666cd99d6df9b5eff
  4199. SHA1: 7dc8dad6098b23f97d0509bee156366327fc810c
  4200. 604 5037
  4201. File
  4202. Open
  4203.  
  4204. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
  4205. MD5: 68564e9e065bd0e666cd99d6df9b5eff
  4206. SHA1: 7dc8dad6098b23f97d0509bee156366327fc810c
  4207. 604 5037
  4208. File
  4209. Close
  4210.  
  4211. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
  4212. MD5: 4a38510f581e03ebacde3fb221fadf80
  4213. SHA1: ce96b572493bb2faaa26cd6a459f983fd10cd9ca
  4214. 604 5040
  4215. File
  4216. Rename
  4217.  
  4218. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
  4219. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\qJBrPEVU4M5QpFREI84TRe+SaY5ImjATVXb9rMlqHz
  4220. I=.7A2F0ADB1B90B147DABB.no_more_ransom
  4221. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4222. MD5: 4a38510f581e03ebacde3fb221fadf80
  4223. SHA1: ce96b572493bb2faaa26cd6a459f983fd10cd9ca
  4224. 604 5040
  4225. File
  4226. Open
  4227.  
  4228. C:\ProgramData\System32\xfs
  4229. MD5: cf6a9bcaa4cc789e3f7c98ec750fbf59
  4230. SHA1: 05f2c37eaee472727e5dd1de6a61cb16ab05bd6b
  4231. 604 9388
  4232. File
  4233. Close
  4234.  
  4235. C:\ProgramData\System32\xfs
  4236. MD5: ecc212d1b7586b1bd4276c9dd46bbf41
  4237. SHA1: 9eec229cef45fe795dc3d3a471719b86883644d1
  4238. 604 9572
  4239. File
  4240. Hide
  4241.  
  4242. C:\ProgramData\System32\xfs
  4243. MD5: ecc212d1b7586b1bd4276c9dd46bbf41
  4244. SHA1: 9eec229cef45fe795dc3d3a471719b86883644d1
  4245. 604 9572
  4246. File
  4247. Open
  4248.  
  4249. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
  4250. 604 4514
  4251. File
  4252. Close
  4253.  
  4254. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
  4255. MD5: efb15a30cf8de043fb41fe220b27d221
  4256. SHA1: 101e8384bd56c9771f9bc954c55bf37d5912dc9f
  4257. 604 4898
  4258. File
  4259. Open
  4260.  
  4261. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
  4262. MD5: efb15a30cf8de043fb41fe220b27d221
  4263. SHA1: 101e8384bd56c9771f9bc954c55bf37d5912dc9f
  4264. 604 4898
  4265. File
  4266. Close
  4267.  
  4268. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
  4269. MD5: b7db7c3657fbe4551d12267bb825f397
  4270. SHA1: cdc4e49fe1158f1ee02a14a3aba96655a80ed4f0
  4271. 604 4912
  4272. File
  4273. Rename
  4274.  
  4275. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
  4276. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cy4rvq3gw9dg7Lrfkc+iquzkGHMx-E8c2l1F5wTtjt
  4277. M=.7A2F0ADB1B90B147DABB.no_more_ransom
  4278. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4279. MD5: b7db7c3657fbe4551d12267bb825f397
  4280. SHA1: cdc4e49fe1158f1ee02a14a3aba96655a80ed4f0
  4281. 604 4912
  4282. File
  4283. Open
  4284.  
  4285. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
  4286. 604 4575
  4287. File
  4288. Open
  4289.  
  4290. C:\ProgramData\System32\xfs
  4291. MD5: ecc212d1b7586b1bd4276c9dd46bbf41
  4292. SHA1: 9eec229cef45fe795dc3d3a471719b86883644d1
  4293. 604 9572
  4294. File
  4295. Close
  4296.  
  4297. C:\ProgramData\System32\xfs
  4298. MD5: c540281564da97f35f7c809330b77591
  4299. SHA1: 38ae85b39549d6c1c83d5da0867b07a582dc8b86
  4300. 604 9756
  4301. File
  4302. Hide
  4303.  
  4304. C:\ProgramData\System32\xfs
  4305. MD5: c540281564da97f35f7c809330b77591
  4306. SHA1: 38ae85b39549d6c1c83d5da0867b07a582dc8b86
  4307. 604 9756
  4308. File
  4309. Close
  4310.  
  4311. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
  4312. MD5: 293d60e2959e5ac47e355c54a1e69dfc
  4313. SHA1: a61c6fc10d816268ee71935fce3ea57fcf82e87e
  4314. 604 4959
  4315. File
  4316. Open
  4317.  
  4318. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
  4319. MD5: 293d60e2959e5ac47e355c54a1e69dfc
  4320. SHA1: a61c6fc10d816268ee71935fce3ea57fcf82e87e
  4321. 604 4959
  4322. File
  4323. Close
  4324.  
  4325. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
  4326. MD5: 3d690554e544230bd3f1e77a919fbef3
  4327. SHA1: 38fc0d2faf7bc4751852ace53ecfc32ab19b5255
  4328. 604 4960
  4329. File
  4330. Rename
  4331.  
  4332. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
  4333. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\0oYa02CPiUSrtVBSPCvREhelsmq7i57tqEsTr4sJIy
  4334. U=.7A2F0ADB1B90B147DABB.no_more_ransom
  4335. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4336. MD5: 3d690554e544230bd3f1e77a919fbef3
  4337. SHA1: 38fc0d2faf7bc4751852ace53ecfc32ab19b5255
  4338. 604 4960
  4339. File
  4340. Open
  4341.  
  4342. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
  4343. 604 4733
  4344. File
  4345. Open
  4346.  
  4347. C:\ProgramData\System32\xfs
  4348. MD5: c540281564da97f35f7c809330b77591
  4349. SHA1: 38ae85b39549d6c1c83d5da0867b07a582dc8b86
  4350. 604 9756
  4351. File
  4352. Close
  4353.  
  4354. C:\ProgramData\System32\xfs
  4355. MD5: 1afe614f2f9ddf2d8448e60b26037079
  4356. SHA1: aeffc6c11dd6c3ea0f5f0b4afbd0b77f917662e0
  4357. 604 9938
  4358. File
  4359. Hide
  4360.  
  4361. C:\ProgramData\System32\xfs
  4362. MD5: 1afe614f2f9ddf2d8448e60b26037079
  4363. SHA1: aeffc6c11dd6c3ea0f5f0b4afbd0b77f917662e0
  4364. 604 9938
  4365. File
  4366. Close
  4367.  
  4368. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
  4369. MD5: aa45160f55a9b62428513787d7132a73
  4370. SHA1: 40677af43d2930c9369f951c6f31ebfda865f7df
  4371. 604 5117
  4372. File
  4373. Open
  4374.  
  4375. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
  4376. MD5: aa45160f55a9b62428513787d7132a73
  4377. SHA1: 40677af43d2930c9369f951c6f31ebfda865f7df
  4378. 604 5117
  4379. File
  4380. Close
  4381.  
  4382. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
  4383. MD5: bdb358b129dd290e98cdaf2ee09d3509
  4384. SHA1: f669cd7186228dcc1f3d15b5ced26539e46c36d2
  4385. 604 5120
  4386. File
  4387. Rename
  4388.  
  4389. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
  4390. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\rNr1WjfoAr5HKfhss6GHM1UyR9PXWoM6SPnQrTBkNK
  4391. o=.7A2F0ADB1B90B147DABB.no_more_ransom
  4392. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4393. MD5: bdb358b129dd290e98cdaf2ee09d3509
  4394. SHA1: f669cd7186228dcc1f3d15b5ced26539e46c36d2
  4395. 604 5120
  4396. File
  4397. Open
  4398.  
  4399. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
  4400. 604 4470
  4401. File
  4402. Open
  4403.  
  4404. C:\ProgramData\System32\xfs
  4405. MD5: 1afe614f2f9ddf2d8448e60b26037079
  4406. SHA1: aeffc6c11dd6c3ea0f5f0b4afbd0b77f917662e0
  4407. 604 9938
  4408. File
  4409. Close
  4410.  
  4411. C:\ProgramData\System32\xfs
  4412. MD5: 422411d2000f9bf8bebeac1d07ec5b93
  4413. SHA1: a9a93e98deb1df9797e03052bf0544b4470a0b37
  4414. 604 10118
  4415. File
  4416. Hide
  4417.  
  4418. C:\ProgramData\System32\xfs
  4419. MD5: 422411d2000f9bf8bebeac1d07ec5b93
  4420. SHA1: a9a93e98deb1df9797e03052bf0544b4470a0b37
  4421. 604 10118
  4422. File
  4423. Close
  4424.  
  4425. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
  4426. MD5: 975a4d160191d874401ba7676e44841a
  4427. SHA1: 0e3a1331f24972b73349c4d1881f8522c83557b3
  4428. 604 4854
  4429. File
  4430. Open
  4431.  
  4432. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
  4433. MD5: 975a4d160191d874401ba7676e44841a
  4434. SHA1: 0e3a1331f24972b73349c4d1881f8522c83557b3
  4435. 604 4854
  4436. File
  4437. Close
  4438.  
  4439. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
  4440. MD5: d6ca7d0fbce3ec5fbe09792bca8f8bac
  4441. SHA1: a39956fda6d5e1500bc4174e6359e9a482c0b3cb
  4442. 604 4864
  4443. File
  4444. Rename
  4445.  
  4446. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
  4447. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\D4Cq9GlHFuf36r4EEvC2kA==.7A2F0ADB1B90B147D
  4448. ABB.no_more_ransom
  4449. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4450. MD5: d6ca7d0fbce3ec5fbe09792bca8f8bac
  4451. SHA1: a39956fda6d5e1500bc4174e6359e9a482c0b3cb
  4452. 604 4864
  4453. File
  4454. Open
  4455.  
  4456. C:\ProgramData\System32\xfs
  4457. MD5: 422411d2000f9bf8bebeac1d07ec5b93
  4458. SHA1: a9a93e98deb1df9797e03052bf0544b4470a0b37
  4459. 604 10118
  4460. File
  4461. Close
  4462.  
  4463. C:\ProgramData\System32\xfs
  4464. MD5: a94296ba41dfa95c97c58e5b2db01d89
  4465. SHA1: f7346a85135d84b8fc5c89ba64751a842946f49c
  4466. 604 10296
  4467. File
  4468. Hide
  4469.  
  4470. C:\ProgramData\System32\xfs
  4471. MD5: a94296ba41dfa95c97c58e5b2db01d89
  4472. SHA1: f7346a85135d84b8fc5c89ba64751a842946f49c
  4473. 604 10296
  4474. File
  4475. Open
  4476.  
  4477. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
  4478. 604 7209
  4479. File
  4480. Close
  4481.  
  4482. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
  4483. MD5: 45c8981b9721a77e5f6422afd0e1b621
  4484. SHA1: bec73c31aa723f736a0f7993860f7308b5db16f7
  4485. 604 7593
  4486. File
  4487. Open
  4488.  
  4489. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
  4490. MD5: 45c8981b9721a77e5f6422afd0e1b621
  4491. SHA1: bec73c31aa723f736a0f7993860f7308b5db16f7
  4492. 604 7593
  4493. File
  4494. Close
  4495.  
  4496. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
  4497. MD5: ab4dd29c5657a34c219c2df554652d5c
  4498. SHA1: ec0622e436047fbb24a22acc368cf248767e8f86
  4499. 604 7600
  4500. File
  4501. Rename
  4502.  
  4503. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
  4504. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\1jXfXWMb8PDGy5xLM61+wxuKf1exQzSmJgwvk5uzQp
  4505. NcTteCUr6++ZhPzmm9eoWY.7A2F0ADB1B90B147DABB.no_more_ransom
  4506. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4507. MD5: ab4dd29c5657a34c219c2df554652d5c
  4508. SHA1: ec0622e436047fbb24a22acc368cf248767e8f86
  4509. 604 7600
  4510. File
  4511. Open
  4512.  
  4513. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
  4514. 604 7287
  4515. File
  4516. Open
  4517.  
  4518. C:\ProgramData\System32\xfs
  4519. MD5: a94296ba41dfa95c97c58e5b2db01d89
  4520. SHA1: f7346a85135d84b8fc5c89ba64751a842946f49c
  4521. 604 10296
  4522. File
  4523. Close
  4524.  
  4525. C:\ProgramData\System32\xfs
  4526. MD5: b57ba3d7a172383697c4d494750da2c3
  4527. SHA1: 3c29b7f2e748acf40b5a1eef7e5ed4ba4f356a06
  4528. 604 10496
  4529. File
  4530. Hide
  4531.  
  4532. C:\ProgramData\System32\xfs
  4533. MD5: b57ba3d7a172383697c4d494750da2c3
  4534. SHA1: 3c29b7f2e748acf40b5a1eef7e5ed4ba4f356a06
  4535. 604 10496
  4536. File
  4537. Close
  4538.  
  4539. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
  4540. MD5: 2ac0943a53d6f0edb396d33f1fd0f848
  4541. SHA1: 366577deda14b00b9c35ff9b9d4fcfc95783b816
  4542. 604 7671
  4543. File
  4544. Open
  4545.  
  4546. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
  4547. MD5: 2ac0943a53d6f0edb396d33f1fd0f848
  4548. SHA1: 366577deda14b00b9c35ff9b9d4fcfc95783b816
  4549. 604 7671
  4550. File
  4551. Close
  4552.  
  4553. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
  4554. MD5: ade598ff9bbbb137d980bfcd614613d1
  4555. SHA1: 6f7656e076aae0248b6558ebb95dddc67e5cfc3e
  4556. 604 7680
  4557. File
  4558. Rename
  4559.  
  4560. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
  4561. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\YEVe3rMyxpYkuCfaf0MaBoy8QDO9GsezI+7Oj0ClYx
  4562. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
  4563. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4564. MD5: ade598ff9bbbb137d980bfcd614613d1
  4565. SHA1: 6f7656e076aae0248b6558ebb95dddc67e5cfc3e
  4566. 604 7680
  4567. File
  4568. Open
  4569.  
  4570. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
  4571. 604 7306
  4572. File
  4573. Open
  4574.  
  4575. C:\ProgramData\System32\xfs
  4576. MD5: b57ba3d7a172383697c4d494750da2c3
  4577. SHA1: 3c29b7f2e748acf40b5a1eef7e5ed4ba4f356a06
  4578. 604 10496
  4579. File
  4580. Close
  4581.  
  4582. C:\ProgramData\System32\xfs
  4583. MD5: d7f45b81966f4677f967df09d776cbde
  4584. SHA1: 11ed145d6583ed95bff36e98e963d90de9959a21
  4585. 604 10680
  4586. File
  4587. Hide
  4588.  
  4589. C:\ProgramData\System32\xfs
  4590. MD5: d7f45b81966f4677f967df09d776cbde
  4591. SHA1: 11ed145d6583ed95bff36e98e963d90de9959a21
  4592. 604 10680
  4593. File
  4594. Close
  4595.  
  4596. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
  4597. MD5: a434771efc92fda02982178f1664393d
  4598. SHA1: 921a2fc0ec15de1894d4323cb47e0004c4e8d55a
  4599. 604 7690
  4600. File
  4601. Open
  4602.  
  4603. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
  4604. MD5: a434771efc92fda02982178f1664393d
  4605. SHA1: 921a2fc0ec15de1894d4323cb47e0004c4e8d55a
  4606. 604 7690
  4607. File
  4608. Close
  4609.  
  4610. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
  4611. MD5: 2e424414185cdf578af400da19f2db5e
  4612. SHA1: abe1d349094214b59514a7b8db0babe959916908
  4613. 604 7696
  4614. File
  4615. Rename
  4616.  
  4617. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
  4618. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\bHqXqfQXtqw7Omj+hd6FbDBCdPs8t4DONY99FPziay
  4619. k=.7A2F0ADB1B90B147DABB.no_more_ransom
  4620. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4621. MD5: 2e424414185cdf578af400da19f2db5e
  4622. SHA1: abe1d349094214b59514a7b8db0babe959916908
  4623. 604 7696
  4624. File
  4625. Open
  4626.  
  4627. C:\ProgramData\System32\xfs
  4628. MD5: d7f45b81966f4677f967df09d776cbde
  4629. SHA1: 11ed145d6583ed95bff36e98e963d90de9959a21
  4630. 604 10680
  4631. File
  4632. Close
  4633.  
  4634. C:\ProgramData\System32\xfs
  4635. MD5: 32ea53b9c0818d90581228724b1bb307
  4636. SHA1: 43c0a85cc0b2d76f7795b4046b4985049e0a9470
  4637. 604 10862
  4638. File
  4639. Hide
  4640.  
  4641. C:\ProgramData\System32\xfs
  4642. MD5: 32ea53b9c0818d90581228724b1bb307
  4643. SHA1: 43c0a85cc0b2d76f7795b4046b4985049e0a9470
  4644. 604 10862
  4645. File
  4646. Open
  4647.  
  4648. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
  4649. 604 9129
  4650. File
  4651. Close
  4652.  
  4653. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
  4654. MD5: 4888779182bf8bd708239876234da33c
  4655. SHA1: a100821284bdc40cc0a38a0902818c016c42d978
  4656. 604 9513
  4657. File
  4658. Open
  4659.  
  4660. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
  4661. MD5: 4888779182bf8bd708239876234da33c
  4662. SHA1: a100821284bdc40cc0a38a0902818c016c42d978
  4663. 604 9513
  4664. File
  4665. Close
  4666.  
  4667. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
  4668. MD5: 72458a8dc63cd2e5c1d6f5c6be35020a
  4669. SHA1: fc9de2cadac28844960366865e16f7bcafbeb4e6
  4670. 604 9520
  4671. File
  4672. Rename
  4673.  
  4674. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
  4675. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\fFaLpscuXlh2nN8rxURCAiR5UCQG2U6Giov+u2wmI9
  4676. A=.7A2F0ADB1B90B147DABB.no_more_ransom
  4677. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4678. MD5: 72458a8dc63cd2e5c1d6f5c6be35020a
  4679. SHA1: fc9de2cadac28844960366865e16f7bcafbeb4e6
  4680. 604 9520
  4681. File
  4682. Open
  4683.  
  4684. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
  4685. 604 9398
  4686. File
  4687. Open
  4688.  
  4689. C:\ProgramData\System32\xfs
  4690. MD5: 32ea53b9c0818d90581228724b1bb307
  4691. SHA1: 43c0a85cc0b2d76f7795b4046b4985049e0a9470
  4692. 604 10862
  4693. File
  4694. Close
  4695.  
  4696. C:\ProgramData\System32\xfs
  4697. MD5: 425d93bc2a6ef2c1243c54af7f236f45
  4698. SHA1: c910cab4276c22fb737f7ea705ee353b879a16fa
  4699. 604 11042
  4700. File
  4701. Hide
  4702.  
  4703. C:\ProgramData\System32\xfs
  4704. MD5: 425d93bc2a6ef2c1243c54af7f236f45
  4705. SHA1: c910cab4276c22fb737f7ea705ee353b879a16fa
  4706. 604 11042
  4707. File
  4708. Close
  4709.  
  4710. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
  4711. MD5: ba0d9b20596496baa1a4d9114a6f57c0
  4712. SHA1: 9e7297fd05262a619a3cb29848b97f809763cb4b
  4713. 604 9782
  4714. File
  4715. Open
  4716.  
  4717. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
  4718. MD5: ba0d9b20596496baa1a4d9114a6f57c0
  4719. SHA1: 9e7297fd05262a619a3cb29848b97f809763cb4b
  4720. 604 9782
  4721. File
  4722. Close
  4723.  
  4724. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
  4725. MD5: ad0b91e8518e400b018984996039aca5
  4726. SHA1: e546e4f61edbd9a112cf61f61ab46599896ed34a
  4727. 604 9792
  4728. File
  4729. Rename
  4730.  
  4731. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
  4732. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\RU9znbxpeZf9GsMH5wi8NpqTxtGNDMEs4sN4KKiizh
  4733. M=.7A2F0ADB1B90B147DABB.no_more_ransom
  4734. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4735. MD5: ad0b91e8518e400b018984996039aca5
  4736. SHA1: e546e4f61edbd9a112cf61f61ab46599896ed34a
  4737. 604 9792
  4738. File
  4739. Open
  4740.  
  4741. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
  4742. 604 7554
  4743. File
  4744. Open
  4745.  
  4746. C:\ProgramData\System32\xfs
  4747. MD5: 425d93bc2a6ef2c1243c54af7f236f45
  4748. SHA1: c910cab4276c22fb737f7ea705ee353b879a16fa
  4749. 604 11042
  4750. File
  4751. Close
  4752.  
  4753. C:\ProgramData\System32\xfs
  4754. MD5: d137c15c7ab90948e800f3d1e8aa2034
  4755. SHA1: 77186409ea44bfebc7f88c35aa714c81fa84167a
  4756. 604 11222
  4757. File
  4758. Hide
  4759.  
  4760. C:\ProgramData\System32\xfs
  4761. MD5: d137c15c7ab90948e800f3d1e8aa2034
  4762. SHA1: 77186409ea44bfebc7f88c35aa714c81fa84167a
  4763. 604 11222
  4764. API Call
  4765.  
  4766. API Name: Sleep Address: 0x0040e6c8
  4767. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
  4768. 604
  4769. High Cpu
  4770.  
  4771. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4772. 604
  4773. Regkey
  4774. Setval
  4775.  
  4776. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 66
  4777. 604
  4778. ProcessTelemetryReport
  4779.  
  4780. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4781. 604
  4782. File
  4783. Close
  4784.  
  4785. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
  4786. MD5: 108519e74ead11e621e22aaa44f17869
  4787. SHA1: 597dc8ea5bd62a0bd2ffb6c996663569611bda9e
  4788. 604 7938
  4789. File
  4790. Open
  4791.  
  4792. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
  4793. MD5: 108519e74ead11e621e22aaa44f17869
  4794. SHA1: 597dc8ea5bd62a0bd2ffb6c996663569611bda9e
  4795. 604 7938
  4796. File
  4797. Close
  4798.  
  4799. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
  4800. MD5: b9fb3451b1f67c38c970a32832fa5b4b
  4801. SHA1: 6a60bcc4952b6f159a25c62666dbfeddf8bece72
  4802. 604 7952
  4803. File
  4804. Rename
  4805.  
  4806. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
  4807. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\aRSwpU2l+M-z1SNFjWmv9A==.7A2F0ADB1B90B147D
  4808. ABB.no_more_ransom
  4809. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4810. MD5: b9fb3451b1f67c38c970a32832fa5b4b
  4811. SHA1: 6a60bcc4952b6f159a25c62666dbfeddf8bece72
  4812. 604 7952
  4813. File
  4814. Open
  4815.  
  4816. C:\ProgramData\System32\xfs
  4817. MD5: d137c15c7ab90948e800f3d1e8aa2034
  4818. SHA1: 77186409ea44bfebc7f88c35aa714c81fa84167a
  4819. 604 11222
  4820. File
  4821. Close
  4822.  
  4823. C:\ProgramData\System32\xfs
  4824. MD5: 7bfdaf9d9e54f0d325c37a6a938422f2
  4825. SHA1: 78df3e627fa3108a6b8d97d55dd6a3f0198a41df
  4826. 604 11398
  4827. File
  4828. Hide
  4829.  
  4830. C:\ProgramData\System32\xfs
  4831. MD5: 7bfdaf9d9e54f0d325c37a6a938422f2
  4832. SHA1: 78df3e627fa3108a6b8d97d55dd6a3f0198a41df
  4833. 604 11398
  4834. File
  4835. Open
  4836.  
  4837. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
  4838. 604 233
  4839. File
  4840. Close
  4841.  
  4842. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
  4843. MD5: 92cb14554d0223c2996317551f1ea82c
  4844. SHA1: 67092b3bffb5264a1c4dcfe707abbcbac2f4ecf5
  4845. 604 617
  4846. File
  4847. Open
  4848.  
  4849. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
  4850. MD5: 92cb14554d0223c2996317551f1ea82c
  4851. SHA1: 67092b3bffb5264a1c4dcfe707abbcbac2f4ecf5
  4852. 604 617
  4853. File
  4854. Close
  4855.  
  4856. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
  4857. MD5: 09391d163591391d5287f4ed9d5a3767
  4858. SHA1: 589bde79d3da84fdd1d9f2a5c9290bd2faeaf09d
  4859. 604 624
  4860. File
  4861. Rename
  4862.  
  4863. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
  4864. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\-D0JMA3HNfYA20bYPFUmqdCM1huLo4z-ivKQcMzfn0
  4865. 0=.7A2F0ADB1B90B147DABB.no_more_ransom
  4866. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4867. MD5: 09391d163591391d5287f4ed9d5a3767
  4868. SHA1: 589bde79d3da84fdd1d9f2a5c9290bd2faeaf09d
  4869. 604 624
  4870. File
  4871. Open
  4872.  
  4873. C:\ProgramData\System32\xfs
  4874. MD5: 7bfdaf9d9e54f0d325c37a6a938422f2
  4875. SHA1: 78df3e627fa3108a6b8d97d55dd6a3f0198a41df
  4876. 604 11398
  4877. File
  4878. Open
  4879.  
  4880. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
  4881. 604 13985
  4882. File
  4883. Close
  4884.  
  4885. C:\ProgramData\System32\xfs
  4886. MD5: facc26b694fc1911c7b311bc11dcef18
  4887. SHA1: 50a651a70a34dfd80b118b5fd1770bdee7045fc7
  4888. 604 11580
  4889. File
  4890. Hide
  4891.  
  4892. C:\ProgramData\System32\xfs
  4893. MD5: facc26b694fc1911c7b311bc11dcef18
  4894. SHA1: 50a651a70a34dfd80b118b5fd1770bdee7045fc7
  4895. 604 11580
  4896. File
  4897. Close
  4898.  
  4899. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
  4900. MD5: 6ba2f895fe3ace63e6a72100be165a69
  4901. SHA1: 1c9fedcf4304639f23de83f31955fb634f15a654
  4902. 604 14369
  4903. File
  4904. Open
  4905.  
  4906. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
  4907. MD5: 6ba2f895fe3ace63e6a72100be165a69
  4908. SHA1: 1c9fedcf4304639f23de83f31955fb634f15a654
  4909. 604 14369
  4910. File
  4911. Close
  4912.  
  4913. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
  4914. MD5: f60ba83ec82e5c5c91ec5307dc6cd666
  4915. SHA1: 863e476df668c5ed173e5e74e91da8c89128a506
  4916. 604 14384
  4917. File
  4918. Rename
  4919.  
  4920. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
  4921. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\hqH5LG3GpZTqU7TOPZDJRPGuwcRCAdoAcHJLVSXuY2
  4922. 0=.7A2F0ADB1B90B147DABB.no_more_ransom
  4923. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4924. MD5: f60ba83ec82e5c5c91ec5307dc6cd666
  4925. SHA1: 863e476df668c5ed173e5e74e91da8c89128a506
  4926. 604 14384
  4927. File
  4928. Open
  4929.  
  4930. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
  4931. 604 3449
  4932. File
  4933. Open
  4934.  
  4935. C:\ProgramData\System32\xfs
  4936. MD5: facc26b694fc1911c7b311bc11dcef18
  4937. SHA1: 50a651a70a34dfd80b118b5fd1770bdee7045fc7
  4938. 604 11580
  4939. File
  4940. Close
  4941.  
  4942. C:\ProgramData\System32\xfs
  4943. MD5: ef7c514675d640025d7c1ddea494fd52
  4944. SHA1: 323260ebb3eff03c5e282b9086c1042961b7fd93
  4945. 604 11764
  4946. File
  4947. Hide
  4948.  
  4949. C:\ProgramData\System32\xfs
  4950. MD5: ef7c514675d640025d7c1ddea494fd52
  4951. SHA1: 323260ebb3eff03c5e282b9086c1042961b7fd93
  4952. 604 11764
  4953. File
  4954. Close
  4955.  
  4956. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
  4957. MD5: f78f2fd3266d2edccbaf4eb3e6b050df
  4958. SHA1: db11c469f1e370260c8e6d4b4ab62a4676e4592c
  4959. 604 3833
  4960. File
  4961. Open
  4962.  
  4963. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
  4964. MD5: f78f2fd3266d2edccbaf4eb3e6b050df
  4965. SHA1: db11c469f1e370260c8e6d4b4ab62a4676e4592c
  4966. 604 3833
  4967. File
  4968. Close
  4969.  
  4970. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
  4971. MD5: d16679d1605724a28fdb7fdec5cfbec7
  4972. SHA1: 7a37c1bfe5d27d2159320d64428fe98cde996de4
  4973. 604 3840
  4974. File
  4975. Rename
  4976.  
  4977. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
  4978. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\W1eSW9DUhh0cKr0petl++q6VcmZsMXs8Tzsvb4WMB5
  4979. g=.7A2F0ADB1B90B147DABB.no_more_ransom
  4980. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  4981. MD5: d16679d1605724a28fdb7fdec5cfbec7
  4982. SHA1: 7a37c1bfe5d27d2159320d64428fe98cde996de4
  4983. 604 3840
  4984. File
  4985. Open
  4986.  
  4987. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
  4988. 604 1601
  4989. File
  4990. Open
  4991.  
  4992. C:\ProgramData\System32\xfs
  4993. MD5: ef7c514675d640025d7c1ddea494fd52
  4994. SHA1: 323260ebb3eff03c5e282b9086c1042961b7fd93
  4995. 604 11764
  4996. File
  4997. Close
  4998.  
  4999. C:\ProgramData\System32\xfs
  5000. MD5: 0140f63bb666f9ea8a5acbcbebd3a00d
  5001. SHA1: b17b4a73a0b52562c4a5edaf91eebdd6dc401cd6
  5002. 604 11954
  5003. File
  5004. Hide
  5005.  
  5006. C:\ProgramData\System32\xfs
  5007. MD5: 0140f63bb666f9ea8a5acbcbebd3a00d
  5008. SHA1: b17b4a73a0b52562c4a5edaf91eebdd6dc401cd6
  5009. 604 11954
  5010. File
  5011. Close
  5012.  
  5013. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
  5014. MD5: ad8f0a98fba13937d76da657d1e21697
  5015. SHA1: d2d1acbb3d77f40addfdebc8fd078aa5f225507e
  5016. 604 1985
  5017. File
  5018. Open
  5019.  
  5020. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
  5021. MD5: ad8f0a98fba13937d76da657d1e21697
  5022. SHA1: d2d1acbb3d77f40addfdebc8fd078aa5f225507e
  5023. 604 1985
  5024. File
  5025. Close
  5026.  
  5027. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
  5028. MD5: 976bc81285d81f40b83063dd62345058
  5029. SHA1: 8ff038a01b37ff19d7a5a450f7dc25825a843ffa
  5030. 604 2000
  5031. File
  5032. Rename
  5033.  
  5034. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
  5035. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\-niGLRZdtFa3W8Bwl9D5BIzDmuhOU+4BQ2rmE7Jhlk
  5036. U=.7A2F0ADB1B90B147DABB.no_more_ransom
  5037. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5038. MD5: 976bc81285d81f40b83063dd62345058
  5039. SHA1: 8ff038a01b37ff19d7a5a450f7dc25825a843ffa
  5040. 604 2000
  5041. File
  5042. Open
  5043.  
  5044. C:\ProgramData\System32\xfs
  5045. MD5: 0140f63bb666f9ea8a5acbcbebd3a00d
  5046. SHA1: b17b4a73a0b52562c4a5edaf91eebdd6dc401cd6
  5047. 604 11954
  5048. File
  5049. Close
  5050.  
  5051. C:\ProgramData\System32\xfs
  5052. MD5: 92c340aa6a5a8b0442add3f888b2b6b2
  5053. SHA1: f1cf39263adfb16fc96660792d71da006065e8f1
  5054. 604 12144
  5055. File
  5056. Hide
  5057.  
  5058. C:\ProgramData\System32\xfs
  5059. MD5: 92c340aa6a5a8b0442add3f888b2b6b2
  5060. SHA1: f1cf39263adfb16fc96660792d71da006065e8f1
  5061. 604 12144
  5062. File
  5063. Open
  5064.  
  5065. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
  5066. 604 869
  5067. File
  5068. Close
  5069.  
  5070. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
  5071. MD5: a9370844adeeaa93b7866522f41cdb91
  5072. SHA1: f8dc6c036d7268eb0bb604c4ad7b49696f40377b
  5073. 604 1253
  5074. File
  5075. Open
  5076.  
  5077. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
  5078. MD5: a9370844adeeaa93b7866522f41cdb91
  5079. SHA1: f8dc6c036d7268eb0bb604c4ad7b49696f40377b
  5080. 604 1253
  5081. File
  5082. Close
  5083.  
  5084. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
  5085. MD5: fc5e4f0ad3ece153c024765e3196f7e7
  5086. SHA1: a4628506c3de4f5f954a598d5b9a2175d49b97aa
  5087. 604 1264
  5088. File
  5089. Rename
  5090.  
  5091. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
  5092. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\XLuqOg5Qu5-XHyiXPjV6f-TOULPEcOQ76AUCQShwBP
  5093. Y=.7A2F0ADB1B90B147DABB.no_more_ransom
  5094. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5095. MD5: fc5e4f0ad3ece153c024765e3196f7e7
  5096. SHA1: a4628506c3de4f5f954a598d5b9a2175d49b97aa
  5097. 604 1264
  5098. File
  5099. Open
  5100.  
  5101. C:\ProgramData\System32\xfs
  5102. MD5: 92c340aa6a5a8b0442add3f888b2b6b2
  5103. SHA1: f1cf39263adfb16fc96660792d71da006065e8f1
  5104. 604 12144
  5105. File
  5106. Open
  5107.  
  5108. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
  5109. 604 3736
  5110. File
  5111. Close
  5112.  
  5113. C:\ProgramData\System32\xfs
  5114. MD5: 2331f0ec18e8600bab81cde12524babe
  5115. SHA1: 585bd428ecf4f63b5fc9f8bb5f223726201aa39d
  5116. 604 12334
  5117. File
  5118. Hide
  5119.  
  5120. C:\ProgramData\System32\xfs
  5121. MD5: 2331f0ec18e8600bab81cde12524babe
  5122. SHA1: 585bd428ecf4f63b5fc9f8bb5f223726201aa39d
  5123. 604 12334
  5124. File
  5125. Close
  5126.  
  5127. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
  5128. MD5: c2e5208f80bfc2b7ad29745fddec5d3a
  5129. SHA1: 432150ba364d7932f39c2c7fed481fdfe72a359a
  5130. 604 4120
  5131. File
  5132. Open
  5133.  
  5134. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
  5135. MD5: c2e5208f80bfc2b7ad29745fddec5d3a
  5136. SHA1: 432150ba364d7932f39c2c7fed481fdfe72a359a
  5137. 604 4120
  5138. File
  5139. Close
  5140.  
  5141. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
  5142. MD5: e3074ff103a28efe8c000b9da4c24499
  5143. SHA1: a369839b0465fafc9e49ead344b380eb22aba0f6
  5144. 604 4128
  5145. File
  5146. Rename
  5147.  
  5148. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
  5149. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\wv4kbE3vTkkVITNgG+1OxDgZwr25gxRiXsszu6Au+n
  5150. 8=.7A2F0ADB1B90B147DABB.no_more_ransom
  5151. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5152. MD5: e3074ff103a28efe8c000b9da4c24499
  5153. SHA1: a369839b0465fafc9e49ead344b380eb22aba0f6
  5154. 604 4128
  5155. File
  5156. Open
  5157.  
  5158. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
  5159. 604 929
  5160. File
  5161. Open
  5162.  
  5163. C:\ProgramData\System32\xfs
  5164. MD5: 2331f0ec18e8600bab81cde12524babe
  5165. SHA1: 585bd428ecf4f63b5fc9f8bb5f223726201aa39d
  5166. 604 12334
  5167. File
  5168. Close
  5169.  
  5170. C:\ProgramData\System32\xfs
  5171. MD5: 32c32ddf6dd2c0bb70e47d4faa3fe015
  5172. SHA1: 039ed11333a50682c6c9740215a25b40608e37cb
  5173. 604 12522
  5174. File
  5175. Hide
  5176.  
  5177. C:\ProgramData\System32\xfs
  5178. MD5: 32c32ddf6dd2c0bb70e47d4faa3fe015
  5179. SHA1: 039ed11333a50682c6c9740215a25b40608e37cb
  5180. 604 12522
  5181. File
  5182. Close
  5183.  
  5184. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
  5185. MD5: ec8cc3044de2f86f84e49c25dd651f32
  5186. SHA1: f6e31c920df983c5363b57ba7f0c6c645d188af3
  5187. 604 1313
  5188. File
  5189. Open
  5190.  
  5191. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
  5192. MD5: ec8cc3044de2f86f84e49c25dd651f32
  5193. SHA1: f6e31c920df983c5363b57ba7f0c6c645d188af3
  5194. 604 1313
  5195. File
  5196. Close
  5197.  
  5198. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
  5199. MD5: 3a28cdabdd7dcbf429c4cdd72141730c
  5200. SHA1: 0332f1e5b24f7f396223a3ec81b2d1ad7e486a98
  5201. 604 1328
  5202. File
  5203. Rename
  5204.  
  5205. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
  5206. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\ESF30494qREgUqyO-4wutBiKh6RJdj+9R6oBQeqTM7
  5207. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
  5208. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5209. MD5: 3a28cdabdd7dcbf429c4cdd72141730c
  5210. SHA1: 0332f1e5b24f7f396223a3ec81b2d1ad7e486a98
  5211. 604 1328
  5212. File
  5213. Open
  5214.  
  5215. C:\ProgramData\System32\xfs
  5216. MD5: 32c32ddf6dd2c0bb70e47d4faa3fe015
  5217. SHA1: 039ed11333a50682c6c9740215a25b40608e37cb
  5218. 604 12522
  5219. File
  5220. Open
  5221.  
  5222. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
  5223. 604 1507
  5224. File
  5225. Close
  5226.  
  5227. C:\ProgramData\System32\xfs
  5228. MD5: 22eab5a69802595c4d44e69be54ef20b
  5229. SHA1: 3bf1a33c92610aedc4352a8dc1994ec22e84c5a4
  5230. 604 12712
  5231. File
  5232. Hide
  5233.  
  5234. C:\ProgramData\System32\xfs
  5235. MD5: 22eab5a69802595c4d44e69be54ef20b
  5236. SHA1: 3bf1a33c92610aedc4352a8dc1994ec22e84c5a4
  5237. 604 12712
  5238. File
  5239. Close
  5240.  
  5241. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
  5242. MD5: 11cdcb383dc22f04700c197aff9edc44
  5243. SHA1: 93fcf4fbfcfc6467e07b9315722ab2cbd2fd2a45
  5244. 604 1891
  5245. File
  5246. Open
  5247.  
  5248. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
  5249. MD5: 11cdcb383dc22f04700c197aff9edc44
  5250. SHA1: 93fcf4fbfcfc6467e07b9315722ab2cbd2fd2a45
  5251. 604 1891
  5252. File
  5253. Close
  5254.  
  5255. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
  5256. MD5: ee57ebc3996d633fbb56a9cc51f91ef9
  5257. SHA1: da7fc76e026dffd3b96cec656f87401e13aaeec0
  5258. 604 1904
  5259. File
  5260. Rename
  5261.  
  5262. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
  5263. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\2ZtJKEwIvkV8sYhNajp9AuXkg5LjhNA+MiG-bZK4wE
  5264. w=.7A2F0ADB1B90B147DABB.no_more_ransom
  5265. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5266. MD5: ee57ebc3996d633fbb56a9cc51f91ef9
  5267. SHA1: da7fc76e026dffd3b96cec656f87401e13aaeec0
  5268. 604 1904
  5269. File
  5270. Open
  5271.  
  5272. C:\ProgramData\System32\xfs
  5273. MD5: 22eab5a69802595c4d44e69be54ef20b
  5274. SHA1: 3bf1a33c92610aedc4352a8dc1994ec22e84c5a4
  5275. 604 12712
  5276. File
  5277. Close
  5278.  
  5279. C:\ProgramData\System32\xfs
  5280. MD5: 0873147a6aaa5e4b1c0cf592f455fe64
  5281. SHA1: c4c292ebb5fe238c2cde93fa7f002aea7b03fdd4
  5282. 604 12904
  5283. File
  5284. Hide
  5285.  
  5286. C:\ProgramData\System32\xfs
  5287. MD5: 0873147a6aaa5e4b1c0cf592f455fe64
  5288. SHA1: c4c292ebb5fe238c2cde93fa7f002aea7b03fdd4
  5289. 604 12904
  5290. File
  5291. Open
  5292.  
  5293. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
  5294. 604 3178
  5295. File
  5296. Close
  5297.  
  5298. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
  5299. MD5: 6d4fd729d5a9c1107247aaad61b60039
  5300. SHA1: a8d38fe63ae6af1e270e91fca2a8c16a4778618c
  5301. 604 3562
  5302. File
  5303. Open
  5304.  
  5305. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
  5306. MD5: 6d4fd729d5a9c1107247aaad61b60039
  5307. SHA1: a8d38fe63ae6af1e270e91fca2a8c16a4778618c
  5308. 604 3562
  5309. File
  5310. Close
  5311.  
  5312. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
  5313. MD5: 96688ca879566f9560f2efda67506650
  5314. SHA1: 923c4e194483607287ac1b94c76390850520f691
  5315. 604 3568
  5316. File
  5317. Rename
  5318.  
  5319. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
  5320. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\VnjG3JfRn2B1G0EZefSXX1ClB+mg5KKJx5UNf84z3-
  5321. k=.7A2F0ADB1B90B147DABB.no_more_ransom
  5322. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5323. MD5: 96688ca879566f9560f2efda67506650
  5324. SHA1: 923c4e194483607287ac1b94c76390850520f691
  5325. 604 3568
  5326. File
  5327. Open
  5328.  
  5329. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
  5330. 604 1330
  5331. File
  5332. Open
  5333.  
  5334. C:\ProgramData\System32\xfs
  5335. MD5: 0873147a6aaa5e4b1c0cf592f455fe64
  5336. SHA1: c4c292ebb5fe238c2cde93fa7f002aea7b03fdd4
  5337. 604 12904
  5338. File
  5339. Close
  5340.  
  5341. C:\ProgramData\System32\xfs
  5342. MD5: 0ffb6876589bef4633bba1ec3ee1dc75
  5343. SHA1: 4f19caf3dcabea53c7b9b97cf81200e26a2454f1
  5344. 604 13094
  5345. File
  5346. Hide
  5347.  
  5348. C:\ProgramData\System32\xfs
  5349. MD5: 0ffb6876589bef4633bba1ec3ee1dc75
  5350. SHA1: 4f19caf3dcabea53c7b9b97cf81200e26a2454f1
  5351. 604 13094
  5352. File
  5353. Close
  5354.  
  5355. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
  5356. MD5: 1ee92dcf64ba278b25639289e1cabfee
  5357. SHA1: 3348f80dfa1e72437e2f4d29d618cdd050293912
  5358. 604 1714
  5359. File
  5360. Open
  5361.  
  5362. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
  5363. MD5: 1ee92dcf64ba278b25639289e1cabfee
  5364. SHA1: 3348f80dfa1e72437e2f4d29d618cdd050293912
  5365. 604 1714
  5366. File
  5367. Close
  5368.  
  5369. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
  5370. MD5: aeaa7e710215ebe88f87cef1c8e6bedb
  5371. SHA1: 8bc0a2e5d5ddabb27d6bff89da564c75ecbb1917
  5372. 604 1728
  5373. File
  5374. Rename
  5375.  
  5376. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
  5377. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\9aWFb73eaa96tLoz2dJfTiYX44Asaro8dqKVReVbvH
  5378. 8=.7A2F0ADB1B90B147DABB.no_more_ransom
  5379. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5380. MD5: aeaa7e710215ebe88f87cef1c8e6bedb
  5381. SHA1: 8bc0a2e5d5ddabb27d6bff89da564c75ecbb1917
  5382. 604 1728
  5383. File
  5384. Open
  5385.  
  5386. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
  5387. 604 5061
  5388. File
  5389. Open
  5390.  
  5391. C:\ProgramData\System32\xfs
  5392. MD5: 0ffb6876589bef4633bba1ec3ee1dc75
  5393. SHA1: 4f19caf3dcabea53c7b9b97cf81200e26a2454f1
  5394. 604 13094
  5395. File
  5396. Close
  5397.  
  5398. C:\ProgramData\System32\xfs
  5399. MD5: 5bb781d47d4d81f450d109eec3e9f019
  5400. SHA1: 4cd92fd070b092e92d071026f0c2647caedd649b
  5401. 604 13284
  5402. File
  5403. Hide
  5404.  
  5405. C:\ProgramData\System32\xfs
  5406. MD5: 5bb781d47d4d81f450d109eec3e9f019
  5407. SHA1: 4cd92fd070b092e92d071026f0c2647caedd649b
  5408. 604 13284
  5409. File
  5410. Close
  5411.  
  5412. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
  5413. MD5: 03d3ad324d70cf6d48af77184f4ee163
  5414. SHA1: 0af230475aaffff933d46fad2e6215218022af0d
  5415. 604 5445
  5416. File
  5417. Open
  5418.  
  5419. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
  5420. MD5: 03d3ad324d70cf6d48af77184f4ee163
  5421. SHA1: 0af230475aaffff933d46fad2e6215218022af0d
  5422. 604 5445
  5423. File
  5424. Close
  5425.  
  5426. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
  5427. MD5: d7cef1215ae478f8eb756e0d999dfb29
  5428. SHA1: 1988cacfb4630272e42aa8be071164cdddd1eac0
  5429. 604 5456
  5430. File
  5431. Rename
  5432.  
  5433. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
  5434. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xvb8AH1+3u3cvay-yEd06jZBmwX16RVH1J2UReg8lv
  5435. Gn6oWv6QYe6G19gAyotIrn.7A2F0ADB1B90B147DABB.no_more_ransom
  5436. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5437. MD5: d7cef1215ae478f8eb756e0d999dfb29
  5438. SHA1: 1988cacfb4630272e42aa8be071164cdddd1eac0
  5439. 604 5456
  5440. File
  5441. Open
  5442.  
  5443. C:\ProgramData\System32\xfs
  5444. MD5: 5bb781d47d4d81f450d109eec3e9f019
  5445. SHA1: 4cd92fd070b092e92d071026f0c2647caedd649b
  5446. 604 13284
  5447. File
  5448. Open
  5449.  
  5450. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
  5451. 604 3238
  5452. File
  5453. Close
  5454.  
  5455. C:\ProgramData\System32\xfs
  5456. MD5: 0e14e23c5a429768dae8db374a7b3229
  5457. SHA1: d503d92994f4869fbe678a98e4f3129e7df40d4f
  5458. 604 13486
  5459. File
  5460. Hide
  5461.  
  5462. C:\ProgramData\System32\xfs
  5463. MD5: 0e14e23c5a429768dae8db374a7b3229
  5464. SHA1: d503d92994f4869fbe678a98e4f3129e7df40d4f
  5465. 604 13486
  5466. File
  5467. Close
  5468.  
  5469. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
  5470. MD5: 91c3999d104ee0bd06bffbaf309e9a56
  5471. SHA1: 5fb2df23d87646d27a5fd26543509d2a69233995
  5472. 604 3622
  5473. File
  5474. Open
  5475.  
  5476. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
  5477. MD5: 91c3999d104ee0bd06bffbaf309e9a56
  5478. SHA1: 5fb2df23d87646d27a5fd26543509d2a69233995
  5479. 604 3622
  5480. File
  5481. Close
  5482.  
  5483. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
  5484. MD5: f00a91b1c90e8823e55dc95f87a2cb61
  5485. SHA1: 2ffbe469b29f005e8cdd021e05bd7be2a4d3277b
  5486. 604 3632
  5487. File
  5488. Rename
  5489.  
  5490. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
  5491. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\3te7UM3CwsHEQ5Jqt+c22RKLn7idVTfEzT3wxaMx2f
  5492. k=.7A2F0ADB1B90B147DABB.no_more_ransom
  5493. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5494. MD5: f00a91b1c90e8823e55dc95f87a2cb61
  5495. SHA1: 2ffbe469b29f005e8cdd021e05bd7be2a4d3277b
  5496. 604 3632
  5497. File
  5498. Open
  5499.  
  5500. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
  5501. 604 1331
  5502. File
  5503. Open
  5504.  
  5505. C:\ProgramData\System32\xfs
  5506. MD5: 0e14e23c5a429768dae8db374a7b3229
  5507. SHA1: d503d92994f4869fbe678a98e4f3129e7df40d4f
  5508. 604 13486
  5509. File
  5510. Close
  5511.  
  5512. C:\ProgramData\System32\xfs
  5513. MD5: ee78c6bcff9ad38475bc8f1cfe59cc7a
  5514. SHA1: 533d35f66c0a34d32b513d2a8eee22fb343d4b9a
  5515. 604 13678
  5516. File
  5517. Hide
  5518.  
  5519. C:\ProgramData\System32\xfs
  5520. MD5: ee78c6bcff9ad38475bc8f1cfe59cc7a
  5521. SHA1: 533d35f66c0a34d32b513d2a8eee22fb343d4b9a
  5522. 604 13678
  5523. File
  5524. Close
  5525.  
  5526. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
  5527. MD5: df0f730dbc6c1c8ceaf7ef2708dc744a
  5528. SHA1: c57d39a241ea3d32fb928d7f542d49a149c6800d
  5529. 604 1715
  5530. File
  5531. Open
  5532.  
  5533. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
  5534. MD5: df0f730dbc6c1c8ceaf7ef2708dc744a
  5535. SHA1: c57d39a241ea3d32fb928d7f542d49a149c6800d
  5536. 604 1715
  5537. File
  5538. Close
  5539.  
  5540. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
  5541. MD5: c66aeb3d3d68a09b563fa1676c85320b
  5542. SHA1: 861322d2ede4d5108bfdb9d60e6df1376e16ee86
  5543. 604 1728
  5544. File
  5545. Rename
  5546.  
  5547. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
  5548. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\26GrUqNW1h5f0Mv4uU7+nFqpQ2Vj03SYOZDV-m6QCv
  5549. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
  5550. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5551. MD5: c66aeb3d3d68a09b563fa1676c85320b
  5552. SHA1: 861322d2ede4d5108bfdb9d60e6df1376e16ee86
  5553. 604 1728
  5554. File
  5555. Open
  5556.  
  5557. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
  5558. 604 2708
  5559. File
  5560. Open
  5561.  
  5562. C:\ProgramData\System32\xfs
  5563. MD5: ee78c6bcff9ad38475bc8f1cfe59cc7a
  5564. SHA1: 533d35f66c0a34d32b513d2a8eee22fb343d4b9a
  5565. 604 13678
  5566. File
  5567. Close
  5568.  
  5569. C:\ProgramData\System32\xfs
  5570. MD5: f51287c2a41ba93e942c3bd03d8779d1
  5571. SHA1: f0aeffcae023aacda3b64d7e4f4770014c88e66c
  5572. 604 13868
  5573. File
  5574. Hide
  5575.  
  5576. C:\ProgramData\System32\xfs
  5577. MD5: f51287c2a41ba93e942c3bd03d8779d1
  5578. SHA1: f0aeffcae023aacda3b64d7e4f4770014c88e66c
  5579. 604 13868
  5580. File
  5581. Close
  5582.  
  5583. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
  5584. MD5: ddd7b63545db76d1dd8751b0e38e06b4
  5585. SHA1: 31a25f36ddcfb8331c1bc8b9275d24b3a7b3dcdf
  5586. 604 3092
  5587. File
  5588. Open
  5589.  
  5590. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
  5591. MD5: ddd7b63545db76d1dd8751b0e38e06b4
  5592. SHA1: 31a25f36ddcfb8331c1bc8b9275d24b3a7b3dcdf
  5593. 604 3092
  5594. File
  5595. Close
  5596.  
  5597. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
  5598. MD5: d8ad1a1dee9d3d9012dfce2aab5ec330
  5599. SHA1: 21be739135694ee4188fdead774cda5079425ce4
  5600. 604 3104
  5601. File
  5602. Rename
  5603.  
  5604. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
  5605. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\UWG-ktkHumCkVu8nBdRlWrvEw+EBUU4IYhkwyMGrwY
  5606. E=.7A2F0ADB1B90B147DABB.no_more_ransom
  5607. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5608. MD5: d8ad1a1dee9d3d9012dfce2aab5ec330
  5609. SHA1: 21be739135694ee4188fdead774cda5079425ce4
  5610. 604 3104
  5611. File
  5612. Open
  5613.  
  5614. C:\ProgramData\System32\xfs
  5615. MD5: f51287c2a41ba93e942c3bd03d8779d1
  5616. SHA1: f0aeffcae023aacda3b64d7e4f4770014c88e66c
  5617. 604 13868
  5618. File
  5619. Open
  5620.  
  5621. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
  5622. 604 13789
  5623. File
  5624. Close
  5625.  
  5626. C:\ProgramData\System32\xfs
  5627. MD5: 8537d52b4e353059734c55aec90eea11
  5628. SHA1: 6a97dab984864ecb8bbb1a4fdaf1178861c1e051
  5629. 604 14058
  5630. File
  5631. Hide
  5632.  
  5633. C:\ProgramData\System32\xfs
  5634. MD5: 8537d52b4e353059734c55aec90eea11
  5635. SHA1: 6a97dab984864ecb8bbb1a4fdaf1178861c1e051
  5636. 604 14058
  5637. File
  5638. Close
  5639.  
  5640. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
  5641. MD5: 5a245a647fa97c0ca828a667296fbdff
  5642. SHA1: cd26cd765978e408bef32d359b478674efd71dfc
  5643. 604 14173
  5644. File
  5645. Open
  5646.  
  5647. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
  5648. MD5: 5a245a647fa97c0ca828a667296fbdff
  5649. SHA1: cd26cd765978e408bef32d359b478674efd71dfc
  5650. 604 14173
  5651. File
  5652. Close
  5653.  
  5654. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
  5655. MD5: e7df79c905c570649e17d5b761b4e581
  5656. SHA1: d1dc329256662e8abccc1b44fbf0451b9e472998
  5657. 604 14176
  5658. File
  5659. Rename
  5660.  
  5661. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
  5662. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\cIso+FvEtOBev3kx1ypCQVlvfDUnzXklCZ1TPHm6tZ
  5663. A=.7A2F0ADB1B90B147DABB.no_more_ransom
  5664. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5665. MD5: e7df79c905c570649e17d5b761b4e581
  5666. SHA1: d1dc329256662e8abccc1b44fbf0451b9e472998
  5667. 604 14176
  5668. File
  5669. Open
  5670.  
  5671. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
  5672. 604 3285
  5673. File
  5674. Open
  5675.  
  5676. C:\ProgramData\System32\xfs
  5677. MD5: 8537d52b4e353059734c55aec90eea11
  5678. SHA1: 6a97dab984864ecb8bbb1a4fdaf1178861c1e051
  5679. 604 14058
  5680. File
  5681. Close
  5682.  
  5683. C:\ProgramData\System32\xfs
  5684. MD5: 9ae0c2608081bcc67e80aa59d28a44e0
  5685. SHA1: 3086ab5e43362971b3756b3bc1b1e01775185a98
  5686. 604 14240
  5687. File
  5688. Hide
  5689.  
  5690. C:\ProgramData\System32\xfs
  5691. MD5: 9ae0c2608081bcc67e80aa59d28a44e0
  5692. SHA1: 3086ab5e43362971b3756b3bc1b1e01775185a98
  5693. 604 14240
  5694. File
  5695. Close
  5696.  
  5697. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
  5698. MD5: e181a5dc410ebe4c6ca45bc2e656ccf7
  5699. SHA1: 9a94610deba18e2242631f8b3ef030d1c207f3c9
  5700. 604 3669
  5701. File
  5702. Open
  5703.  
  5704. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
  5705. MD5: e181a5dc410ebe4c6ca45bc2e656ccf7
  5706. SHA1: 9a94610deba18e2242631f8b3ef030d1c207f3c9
  5707. 604 3669
  5708. File
  5709. Close
  5710.  
  5711. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
  5712. MD5: 1c39e28b7125bdda8f05a6a3c6109f05
  5713. SHA1: 73354886d36e5854966406db8f49dee945df2c60
  5714. 604 3680
  5715. File
  5716. Rename
  5717.  
  5718. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
  5719. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\uIleu+aNka9l8RN2Ed-LadSCP+D0vzsUQDh5K9pYsp
  5720. M=.7A2F0ADB1B90B147DABB.no_more_ransom
  5721. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5722. MD5: 1c39e28b7125bdda8f05a6a3c6109f05
  5723. SHA1: 73354886d36e5854966406db8f49dee945df2c60
  5724. 604 3680
  5725. File
  5726. Open
  5727.  
  5728. C:\ProgramData\System32\xfs
  5729. MD5: 9ae0c2608081bcc67e80aa59d28a44e0
  5730. SHA1: 3086ab5e43362971b3756b3bc1b1e01775185a98
  5731. 604 14240
  5732. File
  5733. Open
  5734.  
  5735. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\BlackberryStorm2.xml
  5736. 604 9183
  5737. File
  5738. Close
  5739.  
  5740. C:\ProgramData\System32\xfs
  5741. MD5: 0457eca8e7be4e0a3f26b1e4906d8747
  5742. SHA1: a1eeaec2617649f5997672f02fb00c3f7cceb9a0
  5743. 604 14428
  5744. File
  5745. Hide
  5746.  
  5747. C:\ProgramData\System32\xfs
  5748. MD5: 0457eca8e7be4e0a3f26b1e4906d8747
  5749. SHA1: a1eeaec2617649f5997672f02fb00c3f7cceb9a0
  5750. 604 14428
  5751. File
  5752. Close
  5753.  
  5754. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\BlackberryStorm2.xml
  5755. MD5: 13b983e62b2147f0a5f8587ba614bcd4
  5756. SHA1: 63f2b53417f9ee19532a93e6889e07135c29793b
  5757. 604 9567
  5758. File
  5759. Open
  5760.  
  5761. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\BlackberryStorm2.xml
  5762. MD5: 13b983e62b2147f0a5f8587ba614bcd4
  5763. SHA1: 63f2b53417f9ee19532a93e6889e07135c29793b
  5764. 604 9567
  5765. 2285 Repeated items skipped
  5766. File
  5767. Rename
  5768.  
  5769. Old Name: C:\Users\Administrator\AppData\Local\Google\Chrome\Application\40.0.2214.115\PepperFlash\manifest.js
  5770. on
  5771. New Name: C:\Users\Administrator\AppData\Local\Google\Chrome\Application\40.0.2214.115\PepperFlash\EZxDgVm0bEh
  5772. tthCUAB74zg4uD7vkIIb7aPsz3UhEAi4=.7A2F0ADB1B90B147DABB.no_more_ransom
  5773. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
  5774. 604 2432
  5775. File
  5776. Hide
  5777.  
  5778. C:\ProgramData\System32\xfs
  5779. MD5: e5166eaac2bea37aff3e7b958b76dbb6
  5780. SHA1: 587268fbe33d8c9284aebf4f31c9b0ac68a8df16
  5781. 604 212178
  5782. Appexception
  5783.  
  5784. Exception Faulting Address: 0x246b1289 Exception Code: 0xc0000005 Exception Level: SECOND_CHANCE
  5785. Exception Type: STATUS_ACCESS_VIOLATION Instruction Address: 0x000007fefc14ac25
  5786. Description: N/A Imagepath: C:\Windows\explorer.exe
  5787.  
  5788. Call Stack:
  5789. Frame No. Instruction Addr. Module Name Symbol Name SD
  5790. 1676
  5791. Malicious Alert
  5792. Application Crash Activity
  5793.  
  5794. Message: Application crash detected
  5795.  
  5796. Malicious Alert
  5797. Misc Anom
  5798.  
  5799. Message: Suspicious Persistence Behavior
  5800.  
  5801. Malicious Alert
  5802. Misc Anom
  5803.  
  5804. Message: System file created, modified, or overwritten
  5805.  
  5806. OS Change Detail (version: 1.2767) | Items: 602 | OS Info: Microsoft WindowsXP 32-bit 5.1 sp3 16.0901 Top
  5807. Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process ID Parent ID File Size
  5808. Analysis
  5809. Malware
  5810.  
  5811.  
  5812. Application
  5813.  
  5814.  
  5815. 3 Repeated items skipped
  5816. Config Update
  5817.  
  5818.  
  5819. Process
  5820. Started
  5821.  
  5822. C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  5823. Parentname: C:\WINDOWS\explorer.exe
  5824. Command Line: "C:\DOCUME~1\admin\LOCALS~1\Temp\factura.exe"
  5825. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
  5826. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
  5827. 3728 648 1206863
  5828. File
  5829. Failed
  5830.  
  5831. C:\DOCUME~1\admin\LOCALS~1\Temp\LPK.DLL
  5832. 3728
  5833. File
  5834. Failed
  5835.  
  5836. C:\DOCUME~1\admin\LOCALS~1\Temp\USP10.dll
  5837. 3728
  5838. QuerySystemTime
  5839.  
  5840. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  5841. 3728
  5842. Regkey
  5843. Queryvalue
  5844.  
  5845. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
  5846. 3728
  5847. File
  5848. Failed
  5849.  
  5850. C:\DOCUME~1\admin\LOCALS~1\Temp\kyEFJiaNlv
  5851. 3728
  5852. 2 Repeated items skipped
  5853. File
  5854. Failed
  5855.  
  5856. C:\WINDOWS\system32\kyEFJiaNlv
  5857. 3728
  5858. File
  5859. Failed
  5860.  
  5861. C:\WINDOWS\system\kyEFJiaNlv
  5862. 3728
  5863. File
  5864. Failed
  5865.  
  5866. C:\WINDOWS\kyEFJiaNlv
  5867. 3728
  5868. File
  5869. Failed
  5870.  
  5871. C:\WINDOWS\system32\kyEFJiaNlv
  5872. 3728
  5873. File
  5874. Failed
  5875.  
  5876. C:\WINDOWS\kyEFJiaNlv
  5877. 3728
  5878. File
  5879. Failed
  5880.  
  5881. C:\WINDOWS\system32\wbem\kyEFJiaNlv
  5882. 3728
  5883. File
  5884. Failed
  5885.  
  5886. C:\Program Files\Skype\Phone\kyEFJiaNlv
  5887. 3728
  5888. File
  5889. Failed
  5890.  
  5891. C:\Program Files\QuickTime\QTSystem\kyEFJiaNlv
  5892. 3728
  5893. File
  5894. Failed
  5895.  
  5896. C:\WINDOWS\system32\WindowsPowerShell\v1.0\kyEFJiaNlv
  5897. 3728
  5898. File
  5899. Failed
  5900.  
  5901. C:\Program Files\Debugging Tools for Windows (x86)\kyEFJiaNlv
  5902. 3728
  5903. API Call
  5904.  
  5905. API Name: GetDesktopWindow Address: 0x004010e0
  5906. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
  5907. 3728
  5908. File
  5909. Failed
  5910.  
  5911. C:\DOCUME~1\admin\LOCALS~1\Temp\rxVwYjlhVy
  5912. 3728
  5913. 2 Repeated items skipped
  5914. File
  5915. Failed
  5916.  
  5917. C:\WINDOWS\system32\rxVwYjlhVy
  5918. 3728
  5919. File
  5920. Failed
  5921.  
  5922. C:\WINDOWS\system\rxVwYjlhVy
  5923. 3728
  5924. File
  5925. Failed
  5926.  
  5927. C:\WINDOWS\rxVwYjlhVy
  5928. 3728
  5929. File
  5930. Failed
  5931.  
  5932. C:\WINDOWS\system32\rxVwYjlhVy
  5933. 3728
  5934. File
  5935. Failed
  5936.  
  5937. C:\WINDOWS\rxVwYjlhVy
  5938. 3728
  5939. File
  5940. Failed
  5941.  
  5942. C:\WINDOWS\system32\wbem\rxVwYjlhVy
  5943. 3728
  5944. File
  5945. Failed
  5946.  
  5947. C:\Program Files\Skype\Phone\rxVwYjlhVy
  5948. 3728
  5949. File
  5950. Failed
  5951.  
  5952. C:\Program Files\QuickTime\QTSystem\rxVwYjlhVy
  5953. 3728
  5954. File
  5955. Failed
  5956.  
  5957. C:\WINDOWS\system32\WindowsPowerShell\v1.0\rxVwYjlhVy
  5958. 3728
  5959. File
  5960. Failed
  5961.  
  5962. C:\Program Files\Debugging Tools for Windows (x86)\rxVwYjlhVy
  5963. 3728
  5964. API Call
  5965.  
  5966. API Name: GetSystemDirectoryA Address: 0x77121df1
  5967. Params: [0x771a1290, 260]
  5968. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  5969. 3728
  5970. File
  5971. Failed
  5972.  
  5973. C:\DOCUME~1\admin\LOCALS~1\Temp\WS2_32.dll
  5974. 3728
  5975. File
  5976. Failed
  5977.  
  5978. C:\DOCUME~1\admin\LOCALS~1\Temp\WS2HELP.dll
  5979. 3728
  5980. File
  5981. Failed
  5982.  
  5983. C:\DOCUME~1\admin\LOCALS~1\Temp\netapi32.dll
  5984. 3728
  5985. Regkey
  5986. Added
  5987.  
  5988. \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  5989. 3728
  5990. Regkey
  5991. Setval
  5992.  
  5993. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common AppData"
  5994. = C:\Documents and Settings\All Users\Application Data
  5995. 3728
  5996. Regkey
  5997. Added
  5998.  
  5999. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
  6000. n\Explorer\User Shell Folders
  6001. 3728
  6002. Regkey
  6003. Added
  6004.  
  6005. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
  6006. n\Explorer\Shell Folders
  6007. 3728
  6008. Regkey
  6009. Setval
  6010.  
  6011. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
  6012. n\Explorer\Shell Folders\"AppData" = C:\Documents and Settings\admin\Application Data
  6013. 3728
  6014. API Call
  6015.  
  6016. API Name: GetComputerNameW Address: 0x00413a3c
  6017. Params: [0x12fb4c, 0x12fb8c]
  6018. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6019. 3728
  6020. Regkey
  6021. Queryvalue
  6022.  
  6023. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
  6024. 3728
  6025. API Call
  6026.  
  6027. API Name: GetSystemDirectoryW Address: 0x00413bac
  6028. Params: [0x12f984, 260]
  6029. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6030. 3728
  6031. Regkey
  6032. Added
  6033.  
  6034. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  6035. 3728
  6036. Regkey
  6037. Added
  6038.  
  6039. \REGISTRY\MACHINE\SOFTWARE\System32
  6040. 3728
  6041. Regkey
  6042. Added
  6043.  
  6044. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration
  6045. 3728
  6046. Regkey
  6047. Setval
  6048.  
  6049. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xi" = 4F3773E1C2AF79622E62
  6050. 3728
  6051. File
  6052. Failed
  6053.  
  6054. C:\Documents and Settings\All Users\Application Data\SYSTEM32\XVERSION
  6055. 3728
  6056. File
  6057. Failed
  6058.  
  6059. C:\Documents and Settings\admin\Application Data\SYSTEM32\XVERSION
  6060. 3728
  6061. File
  6062. Failed
  6063.  
  6064. C:\Documents and Settings\All Users\Application Data\Windows
  6065. 3728
  6066. Folder
  6067. Created
  6068.  
  6069. C:\Documents and Settings\All Users\Application Data\Windows
  6070. 3728
  6071. Folder
  6072. Created
  6073.  
  6074. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897
  6075. 3728
  6076. Folder
  6077. Hide
  6078.  
  6079. C:\Documents and Settings\All Users\Application Data\Windows
  6080. 3728
  6081. File
  6082. Failed
  6083.  
  6084. C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe
  6085. 3728
  6086. File
  6087. Created
  6088.  
  6089. C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe
  6090. 3728
  6091. Malicious Alert
  6092. Malicious Directory
  6093.  
  6094. Message: Executable file created in suspicious location
  6095.  
  6096. Malicious Alert
  6097. Misc Anom
  6098.  
  6099. Message: Generic Trojan Behavior
  6100.  
  6101. API Call
  6102.  
  6103. API Name: SetProcessDEPPolicy Address: 0x00470bd9
  6104. Params: [1]
  6105. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6106. 3728
  6107. API Call
  6108.  
  6109. API Name: CryptAcquireContextW Address: 0x004247f1
  6110. Params: [NULL, NULL, 1, 4026531840]
  6111. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
  6112. 3728
  6113. File
  6114. Failed
  6115.  
  6116. C:\DOCUME~1\admin\LOCALS~1\Temp\rsaenh.dll
  6117. 3728
  6118. 2 Repeated items skipped
  6119. File
  6120. Close
  6121.  
  6122. C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe
  6123. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
  6124. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
  6125. 3728 1206863
  6126. Regkey
  6127. Added
  6128.  
  6129. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersio
  6130. n\Run\
  6131. 3728
  6132. Regkey
  6133. Setval
  6134.  
  6135. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
  6136. n\Run\"Client Server Runtime Subsystem" = "C:\Documents and Settings\All Users\Application Data\W
  6137. indows\csrss.exe"
  6138. 3728
  6139. Malicious Alert
  6140. Suspicious Persistance Activity
  6141.  
  6142. Message: Startup services added for file in suspicious folder
  6143.  
  6144. Malicious Alert
  6145. Misc Anom
  6146.  
  6147. Message: Suspicious Persistence Activity
  6148.  
  6149. Regkey
  6150. Added
  6151.  
  6152. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  6153. 3728
  6154. API Call
  6155.  
  6156. API Name: Sleep Address: 0x0040de21
  6157. Params: [100]
  6158. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6159. 3728
  6160. Regkey
  6161. Setval
  6162.  
  6163. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xVersion" = 4.0.0.1
  6164. 3728
  6165. File
  6166. Failed
  6167.  
  6168. C:\DOCUME~1\admin\LOCALS~1\Temp\rsaenh.dll
  6169. 3728
  6170. File
  6171. Failed
  6172.  
  6173. C:\DOCUME~1\admin\LOCALS~1\Temp\crypt32.dll
  6174. 3728
  6175. API Call
  6176.  
  6177. API Name: Sleep Address: 0x0040de21
  6178. Params: [100]
  6179. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6180. 3728
  6181. API Call
  6182.  
  6183. API Name: CryptAcquireContextW Address: 0x00424844
  6184. Params: [NULL, Intel Hardware Cryptographic Service Provider, 22, 0]
  6185. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
  6186. 3728
  6187. API Call
  6188.  
  6189. API Name: GetDesktopWindow Address: 0x0041e281
  6190. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
  6191. 3728
  6192. API Call
  6193.  
  6194. API Name: Process32First Address: 0x00424bf3
  6195. Params: [0x84, 0xf3f7d0]
  6196. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6197. 3728
  6198. Malicious Alert
  6199. Generic Anomalous Activity
  6200.  
  6201. Message: Enumerating running processes
  6202.  
  6203. API Call
  6204.  
  6205. API Name: Sleep Address: 0x0040de21
  6206. Params: [100]
  6207. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6208. 3728
  6209. API Call
  6210.  
  6211. API Name: CryptAcquireContextA Address: 0x0050087e
  6212. Params: [NULL, NULL, 1, 4026531840]
  6213. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
  6214. 3728
  6215. API Call
  6216.  
  6217. API Name: CryptAcquireContextW Address: 0x004247f1
  6218. Params: [NULL, NULL, 1, 4026531840]
  6219. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
  6220. 3728
  6221. API Call
  6222.  
  6223. API Name: CryptAcquireContextW Address: 0x00424844
  6224. Params: [NULL, Intel Hardware Cryptographic Service Provider, 22, 0]
  6225. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
  6226. 3728
  6227. API Call
  6228.  
  6229. API Name: GetDesktopWindow Address: 0x0041e281
  6230. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
  6231. 3728
  6232. API Call
  6233.  
  6234. API Name: Process32First Address: 0x00424bf3
  6235. Params: [0x98, 0xf3f748]
  6236. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6237. 3728
  6238. API Call
  6239.  
  6240. API Name: Sleep Address: 0x0040de21
  6241. Params: [100]
  6242. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6243. 3728
  6244. API Call
  6245.  
  6246. API Name: GetSystemDirectoryA Address: 0x74723c7f
  6247. Params: [0xf3e6ac, 261]
  6248. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6249. 3728
  6250. API Call
  6251.  
  6252. API Name: GetSystemDirectoryA Address: 0x74723c7f
  6253. Params: [0xf3e6b4, 261]
  6254. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6255. 3728
  6256. API Call
  6257.  
  6258. API Name: GetSystemDirectoryA Address: 0x74723c7f
  6259. Params: [0xf3e600, 261]
  6260. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6261. 3728
  6262. API Call
  6263.  
  6264. API Name: SetWindowsHookExA Address: 0x7473097c
  6265. Params: [2, 0x747307c3, 0x74720000, 3740]
  6266. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
  6267. 3728
  6268. API Call
  6269.  
  6270. API Name: SetWindowsHookExA Address: 0x7473099a
  6271. Params: [7, 0x747304cd, 0x74720000, 3740]
  6272. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
  6273. 3728
  6274. Mutex
  6275.  
  6276. \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
  6277. 3728
  6278. Mutex
  6279.  
  6280. \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
  6281. 3728
  6282. Mutex
  6283.  
  6284. \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
  6285. 3728
  6286. Mutex
  6287.  
  6288. \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
  6289. 3728
  6290. Mutex
  6291.  
  6292. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
  6293. 3728
  6294. Mutex
  6295.  
  6296. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
  6297. ltS-1-5-21-1409082233-688789844-725345543-1003
  6298. 3728
  6299. File
  6300. Failed
  6301.  
  6302. C:\DOCUME~1\admin\LOCALS~1\Temp\SETUPAPI.dll
  6303. 3728
  6304. API Call
  6305.  
  6306. API Name: GetSystemDirectoryW Address: 0x77927324
  6307. Params: [0xf3e914, 260]
  6308. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6309. 3728
  6310. API Call
  6311.  
  6312. API Name: GetComputerNameExW Address: 0x77927048
  6313. Params: [0, 0xf3e948, 0xf3e944]
  6314. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6315. 3728
  6316. API Call
  6317.  
  6318. API Name: GetComputerNameExW Address: 0x779270ab
  6319. Params: [3, 0xf3e948, 0xf3e944]
  6320. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6321. 3728
  6322. Regkey
  6323. Queryvalue
  6324.  
  6325. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
  6326. 3728
  6327. API Call
  6328.  
  6329. API Name: GetVolumeNameForVolumeMountPointW Address: 0x7ca3f17e
  6330. Params: [NULL, \\?\Volume{e319f02c-31a9-11e1-9a3f-806d6172696f}\]
  6331. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6332. 3728
  6333. API Call
  6334.  
  6335. API Name: GetVolumeNameForVolumeMountPointW Address: 0x7ca3f17e
  6336. Params: [NULL, \\?\Volume{e319f02e-31a9-11e1-9a3f-806d6172696f}\]
  6337. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6338. 3728
  6339. API Call
  6340.  
  6341. API Name: Sleep Address: 0x0040de21
  6342. Params: [100]
  6343. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6344. 3728
  6345. Regkey
  6346. Setval
  6347.  
  6348. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
  6349. n\Explorer\MountPoints2\{e319f02e-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
  6350. 3728
  6351. Regkey
  6352. Setval
  6353.  
  6354. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
  6355. n\Explorer\MountPoints2\{e319f02c-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
  6356. 3728
  6357. File
  6358. Failed
  6359.  
  6360. C:\Documents and Settings\admin\Application Data\tor
  6361. 3728
  6362. 4 Repeated items skipped
  6363. API Call
  6364.  
  6365. API Name: Sleep Address: 0x0040de21
  6366. Params: [100]
  6367. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6368. 3728
  6369. API Call
  6370.  
  6371. API Name: Sleep Address: 0x0040de21
  6372. Params: [100]
  6373. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6374. 3728
  6375. 12 Repeated items skipped
  6376. File
  6377. Failed
  6378.  
  6379. C:\DOCUME~1\admin\LOCALS~1\Temp\hnetcfg.dll
  6380. 3728
  6381. API Call
  6382.  
  6383. API Name: Sleep Address: 0x0040de21
  6384. Params: [100]
  6385. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6386. 3728
  6387. Network
  6388. Listen
  6389.  
  6390. Protocol Type: tcp Listen Port: 1064 IP Address: 127.0.0.1:1064
  6391. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6392. 3728
  6393. Malicious Alert
  6394. Network Activity
  6395.  
  6396. Message: TCP listen port opened
  6397.  
  6398. API Call
  6399.  
  6400. API Name: Sleep Address: 0x0040de21
  6401. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6402. 3728
  6403. Network
  6404. Connect
  6405.  
  6406. Protocol Type: tcp Destination Port: 1064 IP Address: 127.0.0.1
  6407. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6408. 3728
  6409. Malicious Alert
  6410. Network Activity
  6411.  
  6412. Message: Network outbound communication attempted
  6413.  
  6414. Network
  6415. Listen
  6416.  
  6417. Protocol Type: tcp Listen Port: 56217 IP Address: 127.0.0.1:56217
  6418. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6419. 3728
  6420. File
  6421. Created
  6422.  
  6423. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\lock
  6424. 3728
  6425. File
  6426. Created
  6427.  
  6428. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state.tmp
  6429. 3728
  6430. File
  6431. Close
  6432.  
  6433. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state.tmp
  6434. MD5: b3e3e0dc8df66c9af4da25f37df632f0
  6435. SHA1: 1b8d598b4efe61cbc429502392514955c5d31eab
  6436. 3728 199
  6437. File
  6438. Rename
  6439.  
  6440. Old Name: C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state.tmp
  6441. New Name: C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state
  6442. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6443. MD5: b3e3e0dc8df66c9af4da25f37df632f0
  6444. SHA1: 1b8d598b4efe61cbc429502392514955c5d31eab
  6445. 3728 199
  6446. File
  6447. Failed
  6448.  
  6449. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\router-stability
  6450. 3728
  6451. File
  6452. Failed
  6453.  
  6454. C:\Documents and Settings\admin\Application Data\TOR\GEOIP
  6455. 3728
  6456. File
  6457. Failed
  6458.  
  6459. C:\Documents and Settings\admin\Application Data\TOR\GEOIP6
  6460. 3728
  6461. File
  6462. Failed
  6463.  
  6464. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-certs
  6465. 3728
  6466. File
  6467. Failed
  6468.  
  6469. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-consensus
  6470. 3728
  6471. File
  6472. Failed
  6473.  
  6474. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\unverified-consensus
  6475. 3728
  6476. File
  6477. Failed
  6478.  
  6479. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-microdesc-consensus
  6480. 3728
  6481. File
  6482. Failed
  6483.  
  6484. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\unverified-microdesc-consensus
  6485. 3728
  6486. File
  6487. Failed
  6488.  
  6489. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-microdescs
  6490. 3728
  6491. File
  6492. Failed
  6493.  
  6494. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-microdescs.new
  6495. 3728
  6496. File
  6497. Failed
  6498.  
  6499. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-descriptors
  6500. 3728
  6501. File
  6502. Failed
  6503.  
  6504. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-extrainfo
  6505. 3728
  6506. API Call
  6507.  
  6508. API Name: Sleep Address: 0x0040de21
  6509. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6510. 3728
  6511. API Call
  6512.  
  6513. API Name: Sleep Address: 0x0040de21
  6514. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6515. 3728
  6516. API Call
  6517.  
  6518. API Name: Sleep Address: 0x0040de21
  6519. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6520. 3728
  6521. API Call
  6522.  
  6523. API Name: GetSystemDirectoryA Address: 0x004f8683
  6524. Params: [0xf3f924, 260]
  6525. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6526. 3728
  6527. File
  6528. Failed
  6529.  
  6530. C:\DOCUME~1\admin\LOCALS~1\Temp\netman.dll
  6531. 3728
  6532. File
  6533. Failed
  6534.  
  6535. C:\DOCUME~1\admin\LOCALS~1\Temp\MPRAPI.dll
  6536. 3728
  6537. File
  6538. Failed
  6539.  
  6540. C:\DOCUME~1\admin\LOCALS~1\Temp\ACTIVEDS.dll
  6541. 3728
  6542. File
  6543. Failed
  6544.  
  6545. C:\DOCUME~1\admin\LOCALS~1\Temp\adsldpc.dll
  6546. 3728
  6547. File
  6548. Failed
  6549.  
  6550. C:\DOCUME~1\admin\LOCALS~1\Temp\ATL.DLL
  6551. 3728
  6552. File
  6553. Failed
  6554.  
  6555. C:\DOCUME~1\admin\LOCALS~1\Temp\rtutils.dll
  6556. 3728
  6557. File
  6558. Failed
  6559.  
  6560. C:\DOCUME~1\admin\LOCALS~1\Temp\SAMLIB.dll
  6561. 3728
  6562. File
  6563. Failed
  6564.  
  6565. C:\DOCUME~1\admin\LOCALS~1\Temp\netshell.dll
  6566. 3728
  6567. File
  6568. Failed
  6569.  
  6570. C:\DOCUME~1\admin\LOCALS~1\Temp\credui.dll
  6571. 3728
  6572. API Call
  6573.  
  6574. API Name: Sleep Address: 0x0040de21
  6575. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6576. 3728
  6577. File
  6578. Failed
  6579.  
  6580. C:\DOCUME~1\admin\LOCALS~1\Temp\dot3api.dll
  6581. 3728
  6582. File
  6583. Failed
  6584.  
  6585. C:\DOCUME~1\admin\LOCALS~1\Temp\dot3dlg.dll
  6586. 3728
  6587. File
  6588. Failed
  6589.  
  6590. C:\DOCUME~1\admin\LOCALS~1\Temp\OneX.DLL
  6591. 3728
  6592. File
  6593. Failed
  6594.  
  6595. C:\DOCUME~1\admin\LOCALS~1\Temp\WTSAPI32.dll
  6596. 3728
  6597. File
  6598. Failed
  6599.  
  6600. C:\DOCUME~1\admin\LOCALS~1\Temp\WINSTA.dll
  6601. 3728
  6602. File
  6603. Failed
  6604.  
  6605. C:\DOCUME~1\admin\LOCALS~1\Temp\CRYPT32.dll
  6606. 3728
  6607. File
  6608. Failed
  6609.  
  6610. C:\DOCUME~1\admin\LOCALS~1\Temp\MSASN1.dll
  6611. 3728
  6612. File
  6613. Failed
  6614.  
  6615. C:\DOCUME~1\admin\LOCALS~1\Temp\eappcfg.dll
  6616. 3728
  6617. File
  6618. Failed
  6619.  
  6620. C:\DOCUME~1\admin\LOCALS~1\Temp\MSVCP60.dll
  6621. 3728
  6622. File
  6623. Failed
  6624.  
  6625. C:\DOCUME~1\admin\LOCALS~1\Temp\eappprxy.dll
  6626. 3728
  6627. File
  6628. Failed
  6629.  
  6630. C:\DOCUME~1\admin\LOCALS~1\Temp\RASAPI32.dll
  6631. 3728
  6632. File
  6633. Failed
  6634.  
  6635. C:\DOCUME~1\admin\LOCALS~1\Temp\rasman.dll
  6636. 3728
  6637. File
  6638. Failed
  6639.  
  6640. C:\DOCUME~1\admin\LOCALS~1\Temp\TAPI32.dll
  6641. 3728
  6642. File
  6643. Failed
  6644.  
  6645. C:\DOCUME~1\admin\LOCALS~1\Temp\WINMM.dll
  6646. 3728
  6647. File
  6648. Failed
  6649.  
  6650. C:\DOCUME~1\admin\LOCALS~1\Temp\WZCSAPI.DLL
  6651. 3728
  6652. File
  6653. Failed
  6654.  
  6655. C:\DOCUME~1\admin\LOCALS~1\Temp\WZCSvc.DLL
  6656. 3728
  6657. File
  6658. Failed
  6659.  
  6660. C:\DOCUME~1\admin\LOCALS~1\Temp\WMI.dll
  6661. 3728
  6662. File
  6663. Failed
  6664.  
  6665. C:\DOCUME~1\admin\LOCALS~1\Temp\DHCPCSVC.DLL
  6666. 3728
  6667. File
  6668. Failed
  6669.  
  6670. C:\DOCUME~1\admin\LOCALS~1\Temp\DNSAPI.dll
  6671. 3728
  6672. File
  6673. Failed
  6674.  
  6675. C:\DOCUME~1\admin\LOCALS~1\Temp\EapolQec.dll
  6676. 3728
  6677. File
  6678. Failed
  6679.  
  6680. C:\DOCUME~1\admin\LOCALS~1\Temp\QUtil.dll
  6681. 3728
  6682. File
  6683. Failed
  6684.  
  6685. C:\DOCUME~1\admin\LOCALS~1\Temp\ESENT.dll
  6686. 3728
  6687. Regkey
  6688. Added
  6689.  
  6690. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing
  6691. 3728
  6692. Regkey
  6693. Added
  6694.  
  6695. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
  6696. 3728
  6697. Regkey
  6698. Setval
  6699.  
  6700. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\"LogSession
  6701. Name" = stdout
  6702. 3728
  6703. Regkey
  6704. Setval
  6705.  
  6706. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\"Active" =
  6707. 0x00000001
  6708. 3728
  6709. Regkey
  6710. Setval
  6711.  
  6712. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\"ControlFla
  6713. gs" = 0x00000001
  6714. 3728
  6715. Regkey
  6716. Added
  6717.  
  6718. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdenti
  6719. fier
  6720. 3728
  6721. Regkey
  6722. Setval
  6723.  
  6724. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdenti
  6725. fier\"Guid" = 5f31090b-d990-4e91-b16d-46121d0255aa
  6726. 3728
  6727. Regkey
  6728. Setval
  6729.  
  6730. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdenti
  6731. fier\"BitNames" = Error Unusual Info Debug
  6732. 3728
  6733. Process
  6734. Duplicate Opened
  6735.  
  6736. Source: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6737. Target: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6738.  
  6739. 3728
  6740. 3728
  6741. 3728
  6742. 3728
  6743.  
  6744. Regkey
  6745. Setval
  6746.  
  6747. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\"LogSessio
  6748. nName" = stdout
  6749. 3728
  6750. Regkey
  6751. Setval
  6752.  
  6753. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\"Active" =
  6754. 0x00000001
  6755. 3728
  6756. Regkey
  6757. Setval
  6758.  
  6759. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\"ControlFl
  6760. ags" = 0x00000001
  6761. 3728
  6762. Regkey
  6763. Setval
  6764.  
  6765. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdent
  6766. ifier\"Guid" = 5f31090b-d990-4e91-b16d-46121d0255aa
  6767. 3728
  6768. Regkey
  6769. Setval
  6770.  
  6771. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdent
  6772. ifier\"BitNames" = Error Unusual Info Debug
  6773. 3728
  6774. API Call
  6775.  
  6776. API Name: Sleep Address: 0x0040de21
  6777. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6778. 3728
  6779. API Call
  6780.  
  6781. API Name: GetSystemTime Address: 0x63004857
  6782. Params: [0xf3e9c8]
  6783. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6784. 3728
  6785. API Call
  6786.  
  6787. API Name: SystemTimeToFileTime Address: 0x63004862
  6788. Params: [0xf3e9c8, 0x630b19f8]
  6789. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6790. 3728
  6791. Regkey
  6792. Added
  6793.  
  6794. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersio
  6795. n\Internet Settings
  6796. 3728
  6797. Regkey
  6798. Added
  6799.  
  6800. \REGISTRY\MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
  6801. 3728
  6802. Regkey
  6803. Added
  6804.  
  6805. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
  6806. 3728
  6807. Regkey
  6808. Added
  6809.  
  6810. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing
  6811. 3728
  6812. Regkey
  6813. Added
  6814.  
  6815. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
  6816. 3728
  6817. Regkey
  6818. Setval
  6819.  
  6820. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\"LogSessionNa
  6821. me" = stdout
  6822. 3728
  6823. Regkey
  6824. Setval
  6825.  
  6826. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\"Active" = 0x
  6827. 00000001
  6828. 3728
  6829. Regkey
  6830. Setval
  6831.  
  6832. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\"ControlFlags
  6833. " = 0x00000001
  6834. 3728
  6835. Regkey
  6836. Added
  6837.  
  6838. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifi
  6839. er
  6840. 3728
  6841. Regkey
  6842. Setval
  6843.  
  6844. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifi
  6845. er\"Guid" = 8aefce96-4618-42ff-a057-3536aa78233e
  6846. 3728
  6847. Regkey
  6848. Setval
  6849.  
  6850. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifi
  6851. er\"BitNames" = Error Unusual Info Debug
  6852. 3728
  6853. Regkey
  6854. Added
  6855.  
  6856. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura
  6857. 3728
  6858. Regkey
  6859. Added
  6860.  
  6861. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura\DEBUG
  6862. 3728
  6863. Regkey
  6864. Deleteval
  6865.  
  6866. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura\DEBUG\"Trace Level"
  6867. 3728
  6868. Regkey
  6869. Setval
  6870.  
  6871. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura\DEBUG\"Trace Level" =
  6872. 3728
  6873. Regkey
  6874. Setval
  6875.  
  6876. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"EventMessageFile" = C:\W
  6877. INDOWS\system32\ESENT.dll
  6878. 3728
  6879. Regkey
  6880. Setval
  6881.  
  6882. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"CategoryMessageFile" = C
  6883. :\WINDOWS\system32\ESENT.dll
  6884. 3728
  6885. Regkey
  6886. Setval
  6887.  
  6888. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"CategoryCount" = 0x00000
  6889. 010
  6890. 3728
  6891. Regkey
  6892. Setval
  6893.  
  6894. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"TypesSupported" = 0x0000
  6895. 0007
  6896. 3728
  6897. Wmiquery
  6898.  
  6899. Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe
  6900. 3528
  6901. API Call
  6902.  
  6903. API Name: GetSystemDirectoryA Address: 0x004f8683
  6904. Params: [0xf3f924, 260]
  6905. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6906. 3728
  6907. API Call
  6908.  
  6909. API Name: Sleep Address: 0x0040de21
  6910. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6911. 3728
  6912. Network
  6913. Connect
  6914.  
  6915. Protocol Type: tcp Destination Port: 9101 IP Address: 128.31.0.39
  6916. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6917. 3728
  6918. API Call
  6919.  
  6920. API Name: Sleep Address: 0x0040de21
  6921. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6922. 3728
  6923. API Call
  6924.  
  6925. API Name: Sleep Address: 0x0040de21
  6926. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6927. 3728
  6928. ProcessTelemetryReport
  6929.  
  6930. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  6931. 3728
  6932. 10 Repeated items skipped
  6933. API Call
  6934.  
  6935. API Name: Sleep Address: 0x0040de21
  6936. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6937. 3728
  6938. 4 Repeated items skipped
  6939. Malicious Alert
  6940. High Repeated Sleep Calls
  6941.  
  6942. Message: High repeated sleep calls
  6943.  
  6944. API Call
  6945.  
  6946. API Name: Sleep Address: 0x0040de21
  6947. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6948. 3728
  6949. API Call
  6950.  
  6951. API Name: Sleep Address: 0x0040de21
  6952. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  6953. 3728
  6954. 4 Repeated items skipped
  6955. Regkey
  6956. Setval
  6957.  
  6958. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xmode" = 751
  6959. 3728
  6960. Regkey
  6961. Added
  6962.  
  6963. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  6964. 3728
  6965. Regkey
  6966. Setval
  6967.  
  6968. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xpk" = -----BEGIN PUBLIC KEY-----.MIIBojANBgkqhki
  6969. G9w0BAQEFAAOCAY8AMIIBigKCAYEAzXhnkH11n+xqxQcisQj5.OefrHjVnqNj+WJAhxscQ47lIoTW8X82MNpwTr6ZWwWHTNB0
  6970. uoppja4vH34ZPFFow.5F/vnPoHa027gaWAZg7o1CIlUeMrKQvRSDYjW8HEHpO16qfsPDWqOIUCpI/oAgpY.XC5neQgNUgQccO
  6971. 6edxoZipUSlLZ5H8c+/996RNOM0NZawLBOLoWAHtSDYLVHgt2z.vsn43Z+nQbTzJtjHn9rtwv7ppecgE3JHTYQ4qI3T0CtF6S
  6972. sO82mDqk7UPG3kqMb2.O13/g2G7u6vCtB951pbvG9A6z//zD2zwhufn6o8LRURvOUdRQaQGIxgCWD8KsLLS.fiXIBiemeVuHb
  6973. OzK6cgaBR8K0Lcy1nnXo4gNZdDSRkFDcVAh4bSl8GztPYUSvFMG.5m8weQyyuABQ30O/AKtCHZlJPF0Ouy
  6974. 3728
  6975. Regkey
  6976. Added
  6977.  
  6978. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  6979. 3728
  6980. Regkey
  6981. Setval
  6982.  
  6983. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xstate" = 3
  6984. 3728
  6985. Regkey
  6986. Added
  6987.  
  6988. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  6989. 3728
  6990. Regkey
  6991. Setval
  6992.  
  6993. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  6994. 3728
  6995. Regkey
  6996. Added
  6997.  
  6998. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  6999. 3728
  7000. Regkey
  7001. Setval
  7002.  
  7003. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"shst" = 2
  7004. 3728
  7005. API Call
  7006.  
  7007. API Name: GetSystemDirectoryW Address: 0x00413079
  7008. Params: [0x12f200, 1024]
  7009. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7010. 3728
  7011. API Call
  7012.  
  7013. API Name: Sleep Address: 0x0040de21
  7014. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7015. 3728
  7016. API Call
  7017.  
  7018. API Name: Sleep Address: 0x0040de21
  7019. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7020. 3728
  7021. 8 Repeated items skipped
  7022. File
  7023. Created
  7024.  
  7025. C:\README1.txt
  7026. 3728
  7027. File
  7028. Close
  7029.  
  7030. C:\README1.txt
  7031. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7032. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7033. 3728 2136
  7034. API Call
  7035.  
  7036. API Name: Sleep Address: 0x0040de21
  7037. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7038. 3728
  7039. API Call
  7040.  
  7041. API Name: Sleep Address: 0x0040de21
  7042. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7043. 3728
  7044. 3 Repeated items skipped
  7045. File
  7046. Created
  7047.  
  7048. C:\README2.txt
  7049. 3728
  7050. File
  7051. Close
  7052.  
  7053. C:\README2.txt
  7054. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7055. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7056. 3728 2136
  7057. File
  7058. Created
  7059.  
  7060. C:\README3.txt
  7061. 3728
  7062. File
  7063. Close
  7064.  
  7065. C:\README3.txt
  7066. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7067. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7068. 3728 2136
  7069. API Call
  7070.  
  7071. API Name: Sleep Address: 0x0040de21
  7072. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7073. 3728
  7074. File
  7075. Created
  7076.  
  7077. C:\README4.txt
  7078. 3728
  7079. File
  7080. Close
  7081.  
  7082. C:\README4.txt
  7083. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7084. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7085. 3728 2136
  7086. File
  7087. Created
  7088.  
  7089. C:\README5.txt
  7090. 3728
  7091. File
  7092. Close
  7093.  
  7094. C:\README5.txt
  7095. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7096. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7097. 3728 2136
  7098. API Call
  7099.  
  7100. API Name: Sleep Address: 0x0040de21
  7101. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7102. 3728
  7103. File
  7104. Created
  7105.  
  7106. C:\README6.txt
  7107. 3728
  7108. File
  7109. Close
  7110.  
  7111. C:\README6.txt
  7112. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7113. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7114. 3728 2136
  7115. API Call
  7116.  
  7117. API Name: Sleep Address: 0x0040de21
  7118. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7119. 3728
  7120. File
  7121. Created
  7122.  
  7123. C:\README7.txt
  7124. 3728
  7125. File
  7126. Close
  7127.  
  7128. C:\README7.txt
  7129. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7130. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7131. 3728 2136
  7132. File
  7133. Created
  7134.  
  7135. C:\README8.txt
  7136. 3728
  7137. File
  7138. Close
  7139.  
  7140. C:\README8.txt
  7141. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7142. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7143. 3728 2136
  7144. API Call
  7145.  
  7146. API Name: Sleep Address: 0x0040de21
  7147. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7148. 3728
  7149. File
  7150. Created
  7151.  
  7152. C:\README9.txt
  7153. 3728
  7154. File
  7155. Close
  7156.  
  7157. C:\README9.txt
  7158. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7159. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7160. 3728 2136
  7161. File
  7162. Created
  7163.  
  7164. C:\README10.txt
  7165. 3728
  7166. File
  7167. Close
  7168.  
  7169. C:\README10.txt
  7170. MD5: 0723ecdfbdfd4e83bba7f77a14756784
  7171. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
  7172. 3728 2136
  7173. Regkey
  7174. Added
  7175.  
  7176. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7177. 3728
  7178. Regkey
  7179. Setval
  7180.  
  7181. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xstate" = 4
  7182. 3728
  7183. API Call
  7184.  
  7185. API Name: Sleep Address: 0x0040de21
  7186. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7187. 3728
  7188. Regkey
  7189. Added
  7190.  
  7191. \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  7192. 3728
  7193. Regkey
  7194. Added
  7195.  
  7196. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
  7197. n\Explorer\User Shell Folders
  7198. 3728
  7199. API Call
  7200.  
  7201. API Name: Sleep Address: 0x0040de21
  7202. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7203. 3728
  7204. API Call
  7205.  
  7206. API Name: GetSystemDirectoryW Address: 0x00413079
  7207. Params: [0x12ef40, 1024]
  7208. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7209. 3728
  7210. API Call
  7211.  
  7212. API Name: GetSystemDirectoryW Address: 0x00413079
  7213. Params: [0x20ef570, 1024]
  7214. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7215. 3728
  7216. File
  7217. Find
  7218.  
  7219. C:\*
  7220. 3728
  7221. API Call
  7222.  
  7223. API Name: Sleep Address: 0x0040de21
  7224. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7225. 3728
  7226. Regkey
  7227. Added
  7228.  
  7229. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7230. 3728
  7231. Regkey
  7232. Setval
  7233.  
  7234. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7235. 3728
  7236. 7 Repeated items skipped
  7237. API Call
  7238.  
  7239. API Name: Sleep Address: 0x0040de21
  7240. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7241. 3728
  7242. Regkey
  7243. Added
  7244.  
  7245. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7246. 3728
  7247. Regkey
  7248. Setval
  7249.  
  7250. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7251. 3728
  7252. 23 Repeated items skipped
  7253. API Call
  7254.  
  7255. API Name: Sleep Address: 0x0040de21
  7256. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7257. 3728
  7258. Regkey
  7259. Added
  7260.  
  7261. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7262. 3728
  7263. Regkey
  7264. Setval
  7265.  
  7266. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7267. 3728
  7268. 11 Repeated items skipped
  7269. File
  7270. Failed
  7271.  
  7272. C:\System Volume Information
  7273. 3728
  7274. Regkey
  7275. Added
  7276.  
  7277. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7278. 3728
  7279. Regkey
  7280. Setval
  7281.  
  7282. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7283. 3728
  7284. 65 Repeated items skipped
  7285. File
  7286. Find
  7287.  
  7288. C:\MSOCache\*
  7289. 3728
  7290. Regkey
  7291. Added
  7292.  
  7293. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7294. 3728
  7295. Regkey
  7296. Setval
  7297.  
  7298. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7299. 3728
  7300. 23 Repeated items skipped
  7301. File
  7302. Find
  7303.  
  7304. C:\MSOCache\*\*
  7305. 3728
  7306. Regkey
  7307. Added
  7308.  
  7309. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7310. 3728
  7311. Regkey
  7312. Setval
  7313.  
  7314. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7315. 3728
  7316. 81 Repeated items skipped
  7317. File
  7318. Open
  7319.  
  7320. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
  7321. 3728 9952
  7322. Regkey
  7323. Added
  7324.  
  7325. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7326. 3728
  7327. Regkey
  7328. Setval
  7329.  
  7330. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7331. 3728
  7332. 13 Repeated items skipped
  7333. File
  7334. Close
  7335.  
  7336. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
  7337. MD5: 9e188ff151ebb7c60f0d18c1e5f1400d
  7338. SHA1: 3692667bfdeb85ead1958b5392498768172773c0
  7339. 3728 10336
  7340. Regkey
  7341. Added
  7342.  
  7343. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7344. 3728
  7345. Regkey
  7346. Setval
  7347.  
  7348. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7349. 3728
  7350. 3 Repeated items skipped
  7351. File
  7352. Open
  7353.  
  7354. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
  7355. MD5: 9e188ff151ebb7c60f0d18c1e5f1400d
  7356. SHA1: 3692667bfdeb85ead1958b5392498768172773c0
  7357. 3728 10336
  7358. File
  7359. Close
  7360.  
  7361. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
  7362. MD5: 526d94208b86b05e22bce4cd6962ba33
  7363. SHA1: 483427412bf5a08c91e450745d8e03a413cfb214
  7364. 3728 10336
  7365. Regkey
  7366. Added
  7367.  
  7368. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7369. 3728
  7370. Regkey
  7371. Setval
  7372.  
  7373. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7374. 3728
  7375. 35 Repeated items skipped
  7376. File
  7377. Rename
  7378.  
  7379. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
  7380. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\WeBlMTjJcwcvUDmf4eL5SL7kg+7nPVmiJog5J
  7381. 37q6vg=.4F3773E1C2AF79622E62.no_more_ransom
  7382. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7383. MD5: 526d94208b86b05e22bce4cd6962ba33
  7384. SHA1: 483427412bf5a08c91e450745d8e03a413cfb214
  7385. 3728 10336
  7386. Regkey
  7387. Added
  7388.  
  7389. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
  7390. 3728
  7391. Regkey
  7392. Setval
  7393.  
  7394. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
  7395. 3728
  7396. 12 Repeated items skipped
  7397. Regkey
  7398. Setval
  7399.  
  7400. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
  7401. 3728
  7402. File
  7403. Failed
  7404.  
  7405. C:\Documents and Settings\All Users\Application Data\System32
  7406. 3728
  7407. Folder
  7408. Created
  7409.  
  7410. C:\Documents and Settings\All Users\Application Data\System32
  7411. 3728
  7412. Folder
  7413. Hide
  7414.  
  7415. C:\Documents and Settings\All Users\Application Data\System32
  7416. 3728
  7417. File
  7418. Failed
  7419.  
  7420. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7421. 3728
  7422. File
  7423. Open
  7424.  
  7425. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
  7426. 3728 52984
  7427. File
  7428. Created
  7429.  
  7430. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7431. 3728
  7432. File
  7433. Close
  7434.  
  7435. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7436. MD5: 39d6b4bdcfe73f17b9647dccb3861a23
  7437. SHA1: 72dbf1c9f3865e02a1de5729ab99335aac74c190
  7438. 3728 180
  7439. File
  7440. Hide
  7441.  
  7442. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7443. MD5: 39d6b4bdcfe73f17b9647dccb3861a23
  7444. SHA1: 72dbf1c9f3865e02a1de5729ab99335aac74c190
  7445. 3728 180
  7446. Regkey
  7447. Setval
  7448.  
  7449. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
  7450. 3728
  7451. 2 Repeated items skipped
  7452. File
  7453. Close
  7454.  
  7455. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
  7456. MD5: 5f3c50cf290ff62bdb66df5c89c0c18d
  7457. SHA1: 11a0f6e7fff411f122496f15131f568c68ba708e
  7458. 3728 53368
  7459. Regkey
  7460. Setval
  7461.  
  7462. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
  7463. 3728
  7464. 4 Repeated items skipped
  7465. File
  7466. Open
  7467.  
  7468. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
  7469. MD5: 5f3c50cf290ff62bdb66df5c89c0c18d
  7470. SHA1: 11a0f6e7fff411f122496f15131f568c68ba708e
  7471. 3728 53368
  7472. File
  7473. Close
  7474.  
  7475. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
  7476. MD5: 5bdd0fcc46d6876979a94c62b6984d64
  7477. SHA1: 254eb3d2842f8f54d092eee34a695f0f05991815
  7478. 3728 53376
  7479. Regkey
  7480. Setval
  7481.  
  7482. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
  7483. 3728
  7484. 5 Repeated items skipped
  7485. API Call
  7486.  
  7487. API Name: Sleep Address: 0x0040de21
  7488. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7489. 3728
  7490. Regkey
  7491. Setval
  7492.  
  7493. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
  7494. 3728
  7495. File
  7496. Rename
  7497.  
  7498. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
  7499. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\nNw-Xv39McNTXd2F5L-HbUFAg2vFYTJDS+mgG
  7500. 77zIuo=.4F3773E1C2AF79622E62.no_more_ransom
  7501. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7502. MD5: 5bdd0fcc46d6876979a94c62b6984d64
  7503. SHA1: 254eb3d2842f8f54d092eee34a695f0f05991815
  7504. 3728 53376
  7505. Regkey
  7506. Setval
  7507.  
  7508. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 2
  7509. 3728
  7510. File
  7511. Open
  7512.  
  7513. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
  7514. 3728 27084
  7515. File
  7516. Close
  7517.  
  7518. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
  7519. MD5: a49331f89a2bf3e827bc17611cd957bf
  7520. SHA1: c51115ce29cff90778d52596de2da5843cb7cf5e
  7521. 3728 27468
  7522. File
  7523. Open
  7524.  
  7525. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7526. MD5: 39d6b4bdcfe73f17b9647dccb3861a23
  7527. SHA1: 72dbf1c9f3865e02a1de5729ab99335aac74c190
  7528. 3728 180
  7529. File
  7530. Close
  7531.  
  7532. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7533. MD5: 49bec89058fd36507cb17d359fed9845
  7534. SHA1: 40c65ebe1a8477a7624e257b2def09c37ca464ea
  7535. 3728 362
  7536. File
  7537. Open
  7538.  
  7539. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
  7540. MD5: a49331f89a2bf3e827bc17611cd957bf
  7541. SHA1: c51115ce29cff90778d52596de2da5843cb7cf5e
  7542. 3728 27468
  7543. File
  7544. Close
  7545.  
  7546. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
  7547. MD5: 4169825d4e126c52cc987adcc282f99c
  7548. SHA1: 385ed662bfde2035fc1f9b3651176abf30728505
  7549. 3728 27472
  7550. File
  7551. Hide
  7552.  
  7553. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7554. MD5: 49bec89058fd36507cb17d359fed9845
  7555. SHA1: 40c65ebe1a8477a7624e257b2def09c37ca464ea
  7556. 3728 362
  7557. Regkey
  7558. Setval
  7559.  
  7560. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 2
  7561. 3728
  7562. 4 Repeated items skipped
  7563. File
  7564. Rename
  7565.  
  7566. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
  7567. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\eA5Rrbs1zCmjnnhk0QYg1H353H4W3oXrwqWdW
  7568. -dAmhI=.4F3773E1C2AF79622E62.no_more_ransom
  7569. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7570. MD5: 4169825d4e126c52cc987adcc282f99c
  7571. SHA1: 385ed662bfde2035fc1f9b3651176abf30728505
  7572. 3728 27472
  7573. Regkey
  7574. Setval
  7575.  
  7576. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 3
  7577. 3728
  7578. File
  7579. Open
  7580.  
  7581. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
  7582. 3728 821
  7583. File
  7584. Open
  7585.  
  7586. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7587. MD5: 49bec89058fd36507cb17d359fed9845
  7588. SHA1: 40c65ebe1a8477a7624e257b2def09c37ca464ea
  7589. 3728 362
  7590. File
  7591. Close
  7592.  
  7593. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7594. MD5: 4dd0c83846ce516c8aff8a850b94063c
  7595. SHA1: 1d271a435269bd1fb2573c8038ce9d0d0f81667b
  7596. 3728 546
  7597. File
  7598. Close
  7599.  
  7600. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
  7601. MD5: da67a12f5df2eb9d0812f401a25463c3
  7602. SHA1: 600998178a96ef8704427403906f58ff77c45a4a
  7603. 3728 1205
  7604. File
  7605. Hide
  7606.  
  7607. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7608. MD5: 4dd0c83846ce516c8aff8a850b94063c
  7609. SHA1: 1d271a435269bd1fb2573c8038ce9d0d0f81667b
  7610. 3728 546
  7611. Regkey
  7612. Setval
  7613.  
  7614. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 3
  7615. 3728
  7616. 3 Repeated items skipped
  7617. File
  7618. Open
  7619.  
  7620. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
  7621. MD5: da67a12f5df2eb9d0812f401a25463c3
  7622. SHA1: 600998178a96ef8704427403906f58ff77c45a4a
  7623. 3728 1205
  7624. File
  7625. Close
  7626.  
  7627. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
  7628. MD5: 140d643b8e67c3bb53aa07fb5e066ae2
  7629. SHA1: 6b09b2cc0fa68338211b68313f6cb3dff0b21d47
  7630. 3728 1216
  7631. Regkey
  7632. Setval
  7633.  
  7634. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 3
  7635. 3728
  7636. 6 Repeated items skipped
  7637. File
  7638. Rename
  7639.  
  7640. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
  7641. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\EDtCuwa46RBI+UnHpL973M85wamzyPI9WOlBL
  7642. 1x-W-E=.4F3773E1C2AF79622E62.no_more_ransom
  7643. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7644. MD5: 140d643b8e67c3bb53aa07fb5e066ae2
  7645. SHA1: 6b09b2cc0fa68338211b68313f6cb3dff0b21d47
  7646. 3728 1216
  7647. Regkey
  7648. Setval
  7649.  
  7650. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 4
  7651. 3728
  7652. File
  7653. Open
  7654.  
  7655. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
  7656. 3728 6003
  7657. File
  7658. Close
  7659.  
  7660. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
  7661. MD5: 070b01fbe9f691c002dfb729c9770823
  7662. SHA1: ba0f854e5ec4810ef4cab70365219a4449090039
  7663. 3728 6387
  7664. File
  7665. Open
  7666.  
  7667. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7668. MD5: 4dd0c83846ce516c8aff8a850b94063c
  7669. SHA1: 1d271a435269bd1fb2573c8038ce9d0d0f81667b
  7670. 3728 546
  7671. File
  7672. Close
  7673.  
  7674. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7675. MD5: 29d6881402caf7e553b5335a2d9bb161
  7676. SHA1: a544250d8725b1263d0f11b5a5f0346b9a8035b8
  7677. 3728 742
  7678. File
  7679. Open
  7680.  
  7681. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
  7682. MD5: 070b01fbe9f691c002dfb729c9770823
  7683. SHA1: ba0f854e5ec4810ef4cab70365219a4449090039
  7684. 3728 6387
  7685. File
  7686. Close
  7687.  
  7688. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
  7689. MD5: 5d296d937f0f4a26e3c495f758777d1a
  7690. SHA1: 99c61a98132b64a58796dfa557105de889c06ea4
  7691. 3728 6400
  7692. File
  7693. Hide
  7694.  
  7695. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7696. MD5: 29d6881402caf7e553b5335a2d9bb161
  7697. SHA1: a544250d8725b1263d0f11b5a5f0346b9a8035b8
  7698. 3728 742
  7699. Regkey
  7700. Setval
  7701.  
  7702. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 4
  7703. 3728
  7704. 6 Repeated items skipped
  7705. File
  7706. Rename
  7707.  
  7708. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
  7709. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\dAUHwYfk3SIwZYR4qhbLVjFaZB45QFe0y0+k-
  7710. ypxh70=.4F3773E1C2AF79622E62.no_more_ransom
  7711. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7712. MD5: 5d296d937f0f4a26e3c495f758777d1a
  7713. SHA1: 99c61a98132b64a58796dfa557105de889c06ea4
  7714. 3728 6400
  7715. API Call
  7716.  
  7717. API Name: Sleep Address: 0x0040de21
  7718. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7719. 3728
  7720. Regkey
  7721. Setval
  7722.  
  7723. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 4
  7724. 3728
  7725. Regkey
  7726. Setval
  7727.  
  7728. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
  7729. 3728
  7730. File
  7731. Open
  7732.  
  7733. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
  7734. 3728 509007
  7735. File
  7736. Open
  7737.  
  7738. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7739. MD5: 29d6881402caf7e553b5335a2d9bb161
  7740. SHA1: a544250d8725b1263d0f11b5a5f0346b9a8035b8
  7741. 3728 742
  7742. File
  7743. Close
  7744.  
  7745. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7746. MD5: 6d2240cf059098ee1286d2672309d5c9
  7747. SHA1: 2f77f555976d3454946f630a8dbc952463d8bdf2
  7748. 3728 932
  7749. ProcessTelemetryReport
  7750.  
  7751. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7752. 3728
  7753. File
  7754. Hide
  7755.  
  7756. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7757. MD5: 6d2240cf059098ee1286d2672309d5c9
  7758. SHA1: 2f77f555976d3454946f630a8dbc952463d8bdf2
  7759. 3728 932
  7760. Regkey
  7761. Setval
  7762.  
  7763. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
  7764. 3728
  7765. 28 Repeated items skipped
  7766. File
  7767. Close
  7768.  
  7769. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
  7770. MD5: 5f38fbd6c81b774fed2b9e5ab9f3689f
  7771. SHA1: c76d7ab3d0f2d9f394486d273b74ed0bc2460d61
  7772. 3728 509391
  7773. Regkey
  7774. Setval
  7775.  
  7776. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
  7777. 3728
  7778. File
  7779. Open
  7780.  
  7781. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
  7782. MD5: 5f38fbd6c81b774fed2b9e5ab9f3689f
  7783. SHA1: c76d7ab3d0f2d9f394486d273b74ed0bc2460d61
  7784. 3728 509391
  7785. Regkey
  7786. Setval
  7787.  
  7788. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
  7789. 3728
  7790. 16 Repeated items skipped
  7791. File
  7792. Close
  7793.  
  7794. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
  7795. MD5: 0bedb1aed513ed1625ae4728f6abeff1
  7796. SHA1: 9b5f198b66c073b0e4ed17dd9b20ad245e700b6b
  7797. 3728 509392
  7798. Regkey
  7799. Setval
  7800.  
  7801. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
  7802. 3728
  7803. 3 Repeated items skipped
  7804. API Call
  7805.  
  7806. API Name: Sleep Address: 0x0040de21
  7807. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7808. 3728
  7809. Regkey
  7810. Setval
  7811.  
  7812. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
  7813. 3728
  7814. 3 Repeated items skipped
  7815. File
  7816. Rename
  7817.  
  7818. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
  7819. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\5B7s1mKwxQV6IjC0KYnS3UiJaftOwiqXuAJnU
  7820. cHeyzM=.4F3773E1C2AF79622E62.no_more_ransom
  7821. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7822. MD5: 0bedb1aed513ed1625ae4728f6abeff1
  7823. SHA1: 9b5f198b66c073b0e4ed17dd9b20ad245e700b6b
  7824. 3728 509392
  7825. Regkey
  7826. Setval
  7827.  
  7828. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
  7829. 3728
  7830. File
  7831. Open
  7832.  
  7833. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7834. MD5: 6d2240cf059098ee1286d2672309d5c9
  7835. SHA1: 2f77f555976d3454946f630a8dbc952463d8bdf2
  7836. 3728 932
  7837. File
  7838. Close
  7839.  
  7840. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7841. MD5: ad51c6802f2b39833f203e535fb75491
  7842. SHA1: 62614e7056efe54b51fb10c38cd233241b77bad1
  7843. 3728 1120
  7844. File
  7845. Hide
  7846.  
  7847. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7848. MD5: ad51c6802f2b39833f203e535fb75491
  7849. SHA1: 62614e7056efe54b51fb10c38cd233241b77bad1
  7850. 3728 1120
  7851. Regkey
  7852. Setval
  7853.  
  7854. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
  7855. 3728
  7856. 11 Repeated items skipped
  7857. File
  7858. Open
  7859.  
  7860. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
  7861. 3728 1459
  7862. Regkey
  7863. Setval
  7864.  
  7865. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
  7866. 3728
  7867. 15 Repeated items skipped
  7868. File
  7869. Close
  7870.  
  7871. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
  7872. MD5: e16508f02b43d4a9264a91fa5502bc1e
  7873. SHA1: ca0e4a56740f26af33271e5a95393a388ccff756
  7874. 3728 1843
  7875. Regkey
  7876. Setval
  7877.  
  7878. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
  7879. 3728
  7880. 2 Repeated items skipped
  7881. File
  7882. Open
  7883.  
  7884. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
  7885. MD5: e16508f02b43d4a9264a91fa5502bc1e
  7886. SHA1: ca0e4a56740f26af33271e5a95393a388ccff756
  7887. 3728 1843
  7888. File
  7889. Close
  7890.  
  7891. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
  7892. MD5: 7e6b76d2cde4c6fdbc5881656d544362
  7893. SHA1: 362fdb15c92193f5d9fd42ffe44ff3672cf49151
  7894. 3728 1856
  7895. Regkey
  7896. Setval
  7897.  
  7898. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
  7899. 3728
  7900. 7 Repeated items skipped
  7901. File
  7902. Rename
  7903.  
  7904. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
  7905. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\K5Wai+aK3surjjzsQuxdn-hOs6US
  7906. OFWmJ9lUpRzi+Q4=.4F3773E1C2AF79622E62.no_more_ransom
  7907. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7908. MD5: 7e6b76d2cde4c6fdbc5881656d544362
  7909. SHA1: 362fdb15c92193f5d9fd42ffe44ff3672cf49151
  7910. 3728 1856
  7911. Regkey
  7912. Setval
  7913.  
  7914. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
  7915. 3728
  7916. File
  7917. Open
  7918.  
  7919. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7920. MD5: ad51c6802f2b39833f203e535fb75491
  7921. SHA1: 62614e7056efe54b51fb10c38cd233241b77bad1
  7922. 3728 1120
  7923. File
  7924. Close
  7925.  
  7926. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7927. MD5: 7803af02e7e1c5aadddf50a12ecbf86c
  7928. SHA1: 1cdd3c9ba24f1791c2f77c7a1856c6fdf0032465
  7929. 3728 1320
  7930. File
  7931. Open
  7932.  
  7933. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
  7934. 3728 1460
  7935. File
  7936. Hide
  7937.  
  7938. C:\Documents and Settings\All Users\Application Data\System32\xfs
  7939. MD5: 7803af02e7e1c5aadddf50a12ecbf86c
  7940. SHA1: 1cdd3c9ba24f1791c2f77c7a1856c6fdf0032465
  7941. 3728 1320
  7942. Regkey
  7943. Setval
  7944.  
  7945. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
  7946. 3728
  7947. 4 Repeated items skipped
  7948. File
  7949. Close
  7950.  
  7951. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
  7952. MD5: 9de64cba62c419401287f1530dae07c9
  7953. SHA1: b17278cfcef6dfdbd5b3c08280be92c32a442ab4
  7954. 3728 1844
  7955. Regkey
  7956. Setval
  7957.  
  7958. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
  7959. 3728
  7960. 2 Repeated items skipped
  7961. File
  7962. Open
  7963.  
  7964. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
  7965. MD5: 9de64cba62c419401287f1530dae07c9
  7966. SHA1: b17278cfcef6dfdbd5b3c08280be92c32a442ab4
  7967. 3728 1844
  7968. File
  7969. Close
  7970.  
  7971. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
  7972. MD5: c34e92cfe3bda1cd927384732e5830b3
  7973. SHA1: 5f7e129a2796604c9e9b66112b2d7c3f77ba0ef2
  7974. 3728 1856
  7975. Regkey
  7976. Setval
  7977.  
  7978. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
  7979. 3728
  7980. 7 Repeated items skipped
  7981. File
  7982. Rename
  7983.  
  7984. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
  7985. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\hPbLH0WyPWeI7QFpiqVjivfK2svX
  7986. dsGQjOBl1NyOhw4=.4F3773E1C2AF79622E62.no_more_ransom
  7987. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  7988. MD5: c34e92cfe3bda1cd927384732e5830b3
  7989. SHA1: 5f7e129a2796604c9e9b66112b2d7c3f77ba0ef2
  7990. 3728 1856
  7991. API Call
  7992.  
  7993. API Name: Sleep Address: 0x0040de21
  7994. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  7995. 3728
  7996. File
  7997. Open
  7998.  
  7999. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8000. MD5: 7803af02e7e1c5aadddf50a12ecbf86c
  8001. SHA1: 1cdd3c9ba24f1791c2f77c7a1856c6fdf0032465
  8002. 3728 1320
  8003. File
  8004. Close
  8005.  
  8006. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8007. MD5: 940126e4a32ba6613d92486fc48e2c65
  8008. SHA1: 2539fe2fcf1492c57fa3ee09e9b59342120d11d4
  8009. 3728 1520
  8010. File
  8011. Hide
  8012.  
  8013. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8014. MD5: 940126e4a32ba6613d92486fc48e2c65
  8015. SHA1: 2539fe2fcf1492c57fa3ee09e9b59342120d11d4
  8016. 3728 1520
  8017. File
  8018. Open
  8019.  
  8020. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
  8021. 3728 1350
  8022. File
  8023. Close
  8024.  
  8025. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
  8026. MD5: df68c1d0d04f14d4e0c21218362f78fa
  8027. SHA1: e69ca8f51c57ff6cefe469110b8d0b35a12f5521
  8028. 3728 1734
  8029. File
  8030. Open
  8031.  
  8032. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
  8033. MD5: df68c1d0d04f14d4e0c21218362f78fa
  8034. SHA1: e69ca8f51c57ff6cefe469110b8d0b35a12f5521
  8035. 3728 1734
  8036. File
  8037. Close
  8038.  
  8039. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
  8040. MD5: b409bd7e10f3a370916eed3600bac027
  8041. SHA1: 512e08aa891bfc4ac7b65b7cb572a52a40695f8c
  8042. 3728 1744
  8043. File
  8044. Rename
  8045.  
  8046. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
  8047. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\UEUCF5aYo80+42hgcshX9r1PWTJh
  8048. -42KDE6GCGI0VqY=.4F3773E1C2AF79622E62.no_more_ransom
  8049. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8050. MD5: b409bd7e10f3a370916eed3600bac027
  8051. SHA1: 512e08aa891bfc4ac7b65b7cb572a52a40695f8c
  8052. 3728 1744
  8053. File
  8054. Open
  8055.  
  8056. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
  8057. 3728 5884
  8058. File
  8059. Open
  8060.  
  8061. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8062. MD5: 940126e4a32ba6613d92486fc48e2c65
  8063. SHA1: 2539fe2fcf1492c57fa3ee09e9b59342120d11d4
  8064. 3728 1520
  8065. File
  8066. Close
  8067.  
  8068. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8069. MD5: 1f5e8f24654b230fd5018091adf26c21
  8070. SHA1: a9b4a3e7301660453ed15670c2aaa548817ee0fd
  8071. 3728 1720
  8072. File
  8073. Close
  8074.  
  8075. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
  8076. MD5: 6eee90ce2e4083c55dc6cd9f7fc08d0c
  8077. SHA1: 3e0d027d2861b6569fc0d6c5e4f197997a7f8819
  8078. 3728 6268
  8079. File
  8080. Hide
  8081.  
  8082. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8083. MD5: 1f5e8f24654b230fd5018091adf26c21
  8084. SHA1: a9b4a3e7301660453ed15670c2aaa548817ee0fd
  8085. 3728 1720
  8086. File
  8087. Open
  8088.  
  8089. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
  8090. MD5: 6eee90ce2e4083c55dc6cd9f7fc08d0c
  8091. SHA1: 3e0d027d2861b6569fc0d6c5e4f197997a7f8819
  8092. 3728 6268
  8093. File
  8094. Close
  8095.  
  8096. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
  8097. MD5: dc2345e8176d8a8a14de418af4cbeb91
  8098. SHA1: fb962432bcc57c2388842a2878e922f3245e7c3d
  8099. 3728 6272
  8100. File
  8101. Rename
  8102.  
  8103. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
  8104. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\2jFEZub-kNhUofdW7aQMZnPaeycuIwBxMkdp1
  8105. I21TcQ=.4F3773E1C2AF79622E62.no_more_ransom
  8106. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8107. MD5: dc2345e8176d8a8a14de418af4cbeb91
  8108. SHA1: fb962432bcc57c2388842a2878e922f3245e7c3d
  8109. 3728 6272
  8110. File
  8111. Open
  8112.  
  8113. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
  8114. 3728 813
  8115. File
  8116. Open
  8117.  
  8118. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8119. MD5: 1f5e8f24654b230fd5018091adf26c21
  8120. SHA1: a9b4a3e7301660453ed15670c2aaa548817ee0fd
  8121. 3728 1720
  8122. File
  8123. Close
  8124.  
  8125. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8126. MD5: c25de7981dc4c990696ab51451fbf8fb
  8127. SHA1: 525b9082b94f67a7d7e297b7271928469d74566b
  8128. 3728 1902
  8129. File
  8130. Close
  8131.  
  8132. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
  8133. MD5: 35b1d92672df1220ae323bd888669d6d
  8134. SHA1: 285ba81b0f6fb9b30627759ed40219eee40a3ae9
  8135. 3728 1197
  8136. File
  8137. Hide
  8138.  
  8139. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8140. MD5: c25de7981dc4c990696ab51451fbf8fb
  8141. SHA1: 525b9082b94f67a7d7e297b7271928469d74566b
  8142. 3728 1902
  8143. File
  8144. Open
  8145.  
  8146. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
  8147. MD5: 35b1d92672df1220ae323bd888669d6d
  8148. SHA1: 285ba81b0f6fb9b30627759ed40219eee40a3ae9
  8149. 3728 1197
  8150. File
  8151. Close
  8152.  
  8153. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
  8154. MD5: ee662580ebe0ac58488d8744ae996654
  8155. SHA1: a0bee3175249b78beabe24c019d3e1ca61c6a194
  8156. 3728 1200
  8157. File
  8158. Rename
  8159.  
  8160. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
  8161. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\+tmqgjz--OX8VY8O93nQfZ7llvlWOULdWsu9q
  8162. tMFeAs=.4F3773E1C2AF79622E62.no_more_ransom
  8163. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8164. MD5: ee662580ebe0ac58488d8744ae996654
  8165. SHA1: a0bee3175249b78beabe24c019d3e1ca61c6a194
  8166. 3728 1200
  8167. File
  8168. Open
  8169.  
  8170. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8171. MD5: c25de7981dc4c990696ab51451fbf8fb
  8172. SHA1: 525b9082b94f67a7d7e297b7271928469d74566b
  8173. 3728 1902
  8174. File
  8175. Close
  8176.  
  8177. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8178. MD5: ed13264cda60f8409a0e3979451bfd79
  8179. SHA1: 4afc9bdff1595151802cd32ad3ff2303382e088f
  8180. 3728 2090
  8181. File
  8182. Hide
  8183.  
  8184. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8185. MD5: ed13264cda60f8409a0e3979451bfd79
  8186. SHA1: 4afc9bdff1595151802cd32ad3ff2303382e088f
  8187. 3728 2090
  8188. File
  8189. Open
  8190.  
  8191. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
  8192. 3728 1798
  8193. File
  8194. Close
  8195.  
  8196. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
  8197. MD5: ceac06b41fa39625c54f46de384d8de7
  8198. SHA1: 867fc866ef7224620fb45e0279052f446d03c9cc
  8199. 3728 2182
  8200. API Call
  8201.  
  8202. API Name: Sleep Address: 0x0040de21
  8203. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  8204. 3728
  8205. File
  8206. Open
  8207.  
  8208. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
  8209. MD5: ceac06b41fa39625c54f46de384d8de7
  8210. SHA1: 867fc866ef7224620fb45e0279052f446d03c9cc
  8211. 3728 2182
  8212. File
  8213. Close
  8214.  
  8215. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
  8216. MD5: 108f8cbcba74b1868e18dcf8313e0ae7
  8217. SHA1: 3b63574a1241b451e745c6dfda08ef5330068ec8
  8218. 3728 2192
  8219. File
  8220. Rename
  8221.  
  8222. Old Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
  8223. New Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\NPDRxRGfuWLc4YyCttqjRu7c37RG7moH+Uz2B
  8224. BPL3o4=.4F3773E1C2AF79622E62.no_more_ransom
  8225. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8226. MD5: 108f8cbcba74b1868e18dcf8313e0ae7
  8227. SHA1: 3b63574a1241b451e745c6dfda08ef5330068ec8
  8228. 3728 2192
  8229. File
  8230. Open
  8231.  
  8232. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
  8233. 3728 2678
  8234. File
  8235. Open
  8236.  
  8237. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8238. MD5: ed13264cda60f8409a0e3979451bfd79
  8239. SHA1: 4afc9bdff1595151802cd32ad3ff2303382e088f
  8240. 3728 2090
  8241. File
  8242. Close
  8243.  
  8244. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8245. MD5: 42f50ecb88c87b557cb7030c8617742e
  8246. SHA1: ce7f0f71b96e929b8fae83c76cbea984b92bac02
  8247. 3728 2276
  8248. File
  8249. Close
  8250.  
  8251. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
  8252. MD5: 81850f130be03bb5d96652612e27bd19
  8253. SHA1: bfd68b4d70791257a31b2b43ce6c0845d2b20ae7
  8254. 3728 3062
  8255. File
  8256. Hide
  8257.  
  8258. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8259. MD5: 42f50ecb88c87b557cb7030c8617742e
  8260. SHA1: ce7f0f71b96e929b8fae83c76cbea984b92bac02
  8261. 3728 2276
  8262. File
  8263. Open
  8264.  
  8265. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
  8266. MD5: 81850f130be03bb5d96652612e27bd19
  8267. SHA1: bfd68b4d70791257a31b2b43ce6c0845d2b20ae7
  8268. 3728 3062
  8269. File
  8270. Close
  8271.  
  8272. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
  8273. MD5: 100276c983466d50393631f5d524dc8f
  8274. SHA1: 162b0c03a3530cad36ebb78fdacbfa69fd6da299
  8275. 3728 3072
  8276. File
  8277. Rename
  8278.  
  8279. Old Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
  8280. New Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\V6-v4fjcJiMhVgbT5pXf4cGo8VeeFihQWlRrc
  8281. df3Ym0=.4F3773E1C2AF79622E62.no_more_ransom
  8282. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8283. MD5: 100276c983466d50393631f5d524dc8f
  8284. SHA1: 162b0c03a3530cad36ebb78fdacbfa69fd6da299
  8285. 3728 3072
  8286. File
  8287. Open
  8288.  
  8289. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8290. MD5: 42f50ecb88c87b557cb7030c8617742e
  8291. SHA1: ce7f0f71b96e929b8fae83c76cbea984b92bac02
  8292. 3728 2276
  8293. File
  8294. Close
  8295.  
  8296. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8297. MD5: 0e1be55567ced43ce4300e528343122d
  8298. SHA1: 336e6a8baab9a77f989576a49211b8815c953179
  8299. 3728 2458
  8300. File
  8301. Open
  8302.  
  8303. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
  8304. 3728 3861
  8305. File
  8306. Hide
  8307.  
  8308. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8309. MD5: 0e1be55567ced43ce4300e528343122d
  8310. SHA1: 336e6a8baab9a77f989576a49211b8815c953179
  8311. 3728 2458
  8312. File
  8313. Close
  8314.  
  8315. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
  8316. MD5: a0ac55d038533309ff1c05457377edf4
  8317. SHA1: 33280b32277cb2d7331aefaeae88bf0e38ce500f
  8318. 3728 4245
  8319. File
  8320. Open
  8321.  
  8322. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
  8323. MD5: a0ac55d038533309ff1c05457377edf4
  8324. SHA1: 33280b32277cb2d7331aefaeae88bf0e38ce500f
  8325. 3728 4245
  8326. File
  8327. Close
  8328.  
  8329. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
  8330. MD5: 9a8fe5019cc6a4ea5bf18ddeff42e562
  8331. SHA1: f4f8a75364e4b925ec6d8c5704632c230f1c23f6
  8332. 3728 4256
  8333. File
  8334. Rename
  8335.  
  8336. Old Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
  8337. New Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\ofjhwmbngehiwyu2Z+NKLAEJCTWJnPyGGqCuw
  8338. 3wA5e8=.4F3773E1C2AF79622E62.no_more_ransom
  8339. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8340. MD5: 9a8fe5019cc6a4ea5bf18ddeff42e562
  8341. SHA1: f4f8a75364e4b925ec6d8c5704632c230f1c23f6
  8342. 3728 4256
  8343. File
  8344. Open
  8345.  
  8346. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
  8347. 3728 2945
  8348. File
  8349. Open
  8350.  
  8351. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8352. MD5: 0e1be55567ced43ce4300e528343122d
  8353. SHA1: 336e6a8baab9a77f989576a49211b8815c953179
  8354. 3728 2458
  8355. File
  8356. Close
  8357.  
  8358. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8359. MD5: 7b3e4ae96366e55872aaf0ce3add12e8
  8360. SHA1: d249b66143545c76193f66bd308dcb8d50160a01
  8361. 3728 2640
  8362. File
  8363. Close
  8364.  
  8365. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
  8366. MD5: 64e040e7e94342b63bb1d26f4b39f77a
  8367. SHA1: 4700f9045c60913f6688be89704c96d91cca55f5
  8368. 3728 3329
  8369. File
  8370. Hide
  8371.  
  8372. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8373. MD5: 7b3e4ae96366e55872aaf0ce3add12e8
  8374. SHA1: d249b66143545c76193f66bd308dcb8d50160a01
  8375. 3728 2640
  8376. File
  8377. Open
  8378.  
  8379. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
  8380. MD5: 64e040e7e94342b63bb1d26f4b39f77a
  8381. SHA1: 4700f9045c60913f6688be89704c96d91cca55f5
  8382. 3728 3329
  8383. File
  8384. Close
  8385.  
  8386. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
  8387. MD5: 4c34fd9e85ee5b2cee87c6cc5b7fa5ff
  8388. SHA1: 314b26c29d4f2c0025b7841d81fee895973ccce3
  8389. 3728 3344
  8390. File
  8391. Rename
  8392.  
  8393. Old Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
  8394. New Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Zwet1MKSSC47QoUNmFF3SErMLNE+SokPcXP-R
  8395. nIjmL0=.4F3773E1C2AF79622E62.no_more_ransom
  8396. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8397. MD5: 4c34fd9e85ee5b2cee87c6cc5b7fa5ff
  8398. SHA1: 314b26c29d4f2c0025b7841d81fee895973ccce3
  8399. 3728 3344
  8400. API Call
  8401.  
  8402. API Name: Sleep Address: 0x0040de21
  8403. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  8404. 3728
  8405. File
  8406. Open
  8407.  
  8408. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8409. MD5: 7b3e4ae96366e55872aaf0ce3add12e8
  8410. SHA1: d249b66143545c76193f66bd308dcb8d50160a01
  8411. 3728 2640
  8412. File
  8413. Close
  8414.  
  8415. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8416. MD5: cdd2c2ab1528225f5eb66ab15217b51c
  8417. SHA1: 1141bea48b82dd4205d251987e21c29f50fdcf85
  8418. 3728 2832
  8419. File
  8420. Open
  8421.  
  8422. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
  8423. 3728 2004
  8424. File
  8425. Hide
  8426.  
  8427. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8428. MD5: cdd2c2ab1528225f5eb66ab15217b51c
  8429. SHA1: 1141bea48b82dd4205d251987e21c29f50fdcf85
  8430. 3728 2832
  8431. File
  8432. Close
  8433.  
  8434. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
  8435. MD5: 98af4f37f73842461caa94064efa16d5
  8436. SHA1: 5bbe777e79f8b25add9393e0148b9253ce1d2478
  8437. 3728 2388
  8438. File
  8439. Open
  8440.  
  8441. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
  8442. MD5: 98af4f37f73842461caa94064efa16d5
  8443. SHA1: 5bbe777e79f8b25add9393e0148b9253ce1d2478
  8444. 3728 2388
  8445. File
  8446. Close
  8447.  
  8448. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
  8449. MD5: 2a3419ead6f80ae4139ef2fdf938c80a
  8450. SHA1: 6a329f6f08fcbd00b521b0b5003baff3c3892add
  8451. 3728 2400
  8452. File
  8453. Rename
  8454.  
  8455. Old Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
  8456. New Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\bPPbLhFgRjCtT0S895Cuc+g+UZqJUJDseRGZX
  8457. GH6Jdc=.4F3773E1C2AF79622E62.no_more_ransom
  8458. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8459. MD5: 2a3419ead6f80ae4139ef2fdf938c80a
  8460. SHA1: 6a329f6f08fcbd00b521b0b5003baff3c3892add
  8461. 3728 2400
  8462. File
  8463. Open
  8464.  
  8465. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
  8466. 3728 1553
  8467. File
  8468. Close
  8469.  
  8470. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
  8471. MD5: a599dfcba50f044bf3aa1dc96d1b4844
  8472. SHA1: 9aa3bd6aa2346fac581c64674e0c584ff4a0fd93
  8473. 3728 1937
  8474. File
  8475. Open
  8476.  
  8477. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8478. MD5: cdd2c2ab1528225f5eb66ab15217b51c
  8479. SHA1: 1141bea48b82dd4205d251987e21c29f50fdcf85
  8480. 3728 2832
  8481. File
  8482. Close
  8483.  
  8484. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8485. MD5: bff3d858cabf0dc3c26a2a423f5b2c02
  8486. SHA1: daec0afe00cea7f03c1c2a136bb4b0b4f7885dab
  8487. 3728 3014
  8488. File
  8489. Open
  8490.  
  8491. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
  8492. MD5: a599dfcba50f044bf3aa1dc96d1b4844
  8493. SHA1: 9aa3bd6aa2346fac581c64674e0c584ff4a0fd93
  8494. 3728 1937
  8495. File
  8496. Hide
  8497.  
  8498. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8499. MD5: bff3d858cabf0dc3c26a2a423f5b2c02
  8500. SHA1: daec0afe00cea7f03c1c2a136bb4b0b4f7885dab
  8501. 3728 3014
  8502. File
  8503. Close
  8504.  
  8505. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
  8506. MD5: 9248ac29307fe8cb5cf50fa1be51ab14
  8507. SHA1: 2cbcb9488c22e4ab0e0520956f02971412fc85b3
  8508. 3728 1952
  8509. File
  8510. Rename
  8511.  
  8512. Old Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
  8513. New Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\6rYu-ij2l9oH5dv-NeaTNJtDAkhlywM0rGFWu
  8514. IODgbCFGFCzA2ar5Sc4gYdx6gb+.4F3773E1C2AF79622E62.no_more_ransom
  8515. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8516. MD5: 9248ac29307fe8cb5cf50fa1be51ab14
  8517. SHA1: 2cbcb9488c22e4ab0e0520956f02971412fc85b3
  8518. 3728 1952
  8519. File
  8520. Open
  8521.  
  8522. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
  8523. 3728 2527
  8524. File
  8525. Open
  8526.  
  8527. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8528. MD5: bff3d858cabf0dc3c26a2a423f5b2c02
  8529. SHA1: daec0afe00cea7f03c1c2a136bb4b0b4f7885dab
  8530. 3728 3014
  8531. File
  8532. Close
  8533.  
  8534. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8535. MD5: 4e70f78399bd8e53dac1db7ec3f4ddfe
  8536. SHA1: 4aaf0335ea79a0d3f2533a17ee2d4d65d2b2e3e8
  8537. 3728 3212
  8538. File
  8539. Hide
  8540.  
  8541. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8542. MD5: 4e70f78399bd8e53dac1db7ec3f4ddfe
  8543. SHA1: 4aaf0335ea79a0d3f2533a17ee2d4d65d2b2e3e8
  8544. 3728 3212
  8545. File
  8546. Close
  8547.  
  8548. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
  8549. MD5: 6e3e8bbd84a897b0c17058c314c3083e
  8550. SHA1: fe6a6b1d8647367ac649eb0e694ff53f570b0297
  8551. 3728 2911
  8552. File
  8553. Open
  8554.  
  8555. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
  8556. MD5: 6e3e8bbd84a897b0c17058c314c3083e
  8557. SHA1: fe6a6b1d8647367ac649eb0e694ff53f570b0297
  8558. 3728 2911
  8559. File
  8560. Close
  8561.  
  8562. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
  8563. MD5: 64d901602242327f67f0a04169a4866f
  8564. SHA1: e591551448800c495f404bf88d6d1f975cdbcc2c
  8565. 3728 2912
  8566. File
  8567. Rename
  8568.  
  8569. Old Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
  8570. New Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\yc8YQ728mR64G7aTrQgwC0QoDFIwAOWsSLeT-
  8571. qgsBzk=.4F3773E1C2AF79622E62.no_more_ransom
  8572. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8573. MD5: 64d901602242327f67f0a04169a4866f
  8574. SHA1: e591551448800c495f404bf88d6d1f975cdbcc2c
  8575. 3728 2912
  8576. API Call
  8577.  
  8578. API Name: Sleep Address: 0x0040de21
  8579. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  8580. 3728
  8581. File
  8582. Open
  8583.  
  8584. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
  8585. 3728 1801
  8586. File
  8587. Open
  8588.  
  8589. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8590. MD5: 4e70f78399bd8e53dac1db7ec3f4ddfe
  8591. SHA1: 4aaf0335ea79a0d3f2533a17ee2d4d65d2b2e3e8
  8592. 3728 3212
  8593. File
  8594. Close
  8595.  
  8596. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8597. MD5: 20705eec377567c6783ff1430d8422dc
  8598. SHA1: 0a354fcf33c57c2ead76160463c437c576abdfa4
  8599. 3728 3394
  8600. File
  8601. Close
  8602.  
  8603. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
  8604. MD5: d00b8a4bdc248f0ef4e414d8d4479dda
  8605. SHA1: 5f9e8e7d28151313ffdf1cad1e436b74884ee2a9
  8606. 3728 2185
  8607. File
  8608. Hide
  8609.  
  8610. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8611. MD5: 20705eec377567c6783ff1430d8422dc
  8612. SHA1: 0a354fcf33c57c2ead76160463c437c576abdfa4
  8613. 3728 3394
  8614. File
  8615. Open
  8616.  
  8617. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
  8618. MD5: d00b8a4bdc248f0ef4e414d8d4479dda
  8619. SHA1: 5f9e8e7d28151313ffdf1cad1e436b74884ee2a9
  8620. 3728 2185
  8621. File
  8622. Close
  8623.  
  8624. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
  8625. MD5: b80d5daeb17e75022b9f2541218100ee
  8626. SHA1: b6e57f833a98ae85aef2158d3ffd4eacf897050c
  8627. 3728 2192
  8628. File
  8629. Rename
  8630.  
  8631. Old Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
  8632. New Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\CY6B4swVdFf3rlnS2B3k9CgHwG1OixXcDMx9K
  8633. qZ7TjE=.4F3773E1C2AF79622E62.no_more_ransom
  8634. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8635. MD5: b80d5daeb17e75022b9f2541218100ee
  8636. SHA1: b6e57f833a98ae85aef2158d3ffd4eacf897050c
  8637. 3728 2192
  8638. File
  8639. Open
  8640.  
  8641. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8642. MD5: 20705eec377567c6783ff1430d8422dc
  8643. SHA1: 0a354fcf33c57c2ead76160463c437c576abdfa4
  8644. 3728 3394
  8645. File
  8646. Close
  8647.  
  8648. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8649. MD5: fb496f7fde0b270bb971c4a8d14f29b0
  8650. SHA1: 000eb70b2060cbe19f701159824ccfece189eb63
  8651. 3728 3582
  8652. File
  8653. Hide
  8654.  
  8655. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8656. MD5: fb496f7fde0b270bb971c4a8d14f29b0
  8657. SHA1: 000eb70b2060cbe19f701159824ccfece189eb63
  8658. 3728 3582
  8659. File
  8660. Open
  8661.  
  8662. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
  8663. 3728 13115
  8664. File
  8665. Close
  8666.  
  8667. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
  8668. MD5: 6cfc268348726af3fa1532496d3353ab
  8669. SHA1: e07a1705d0d7faa7952e0ceffc3579f677d81135
  8670. 3728 13499
  8671. File
  8672. Open
  8673.  
  8674. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
  8675. MD5: 6cfc268348726af3fa1532496d3353ab
  8676. SHA1: e07a1705d0d7faa7952e0ceffc3579f677d81135
  8677. 3728 13499
  8678. File
  8679. Close
  8680.  
  8681. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
  8682. MD5: 7609b4d2c02a6c0c6d7091141260e863
  8683. SHA1: 30832ee4c3dd4bde917ac9ceac14e0180d00cfee
  8684. 3728 13504
  8685. File
  8686. Rename
  8687.  
  8688. Old Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
  8689. New Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\XztWhexqsqrJFo4LWhpYJNrU3fmHQE-CP1q0y
  8690. bV17Sk=.4F3773E1C2AF79622E62.no_more_ransom
  8691. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8692. MD5: 7609b4d2c02a6c0c6d7091141260e863
  8693. SHA1: 30832ee4c3dd4bde917ac9ceac14e0180d00cfee
  8694. 3728 13504
  8695. File
  8696. Open
  8697.  
  8698. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
  8699. 3728 24033
  8700. File
  8701. Open
  8702.  
  8703. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8704. MD5: fb496f7fde0b270bb971c4a8d14f29b0
  8705. SHA1: 000eb70b2060cbe19f701159824ccfece189eb63
  8706. 3728 3582
  8707. File
  8708. Close
  8709.  
  8710. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8711. MD5: 22af9b69d520848e1e15f1d40fb3ca2d
  8712. SHA1: 3fdd9752b83bd89d7110169c173984062eaa4530
  8713. 3728 3774
  8714. File
  8715. Close
  8716.  
  8717. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
  8718. MD5: a8e86cdbfcd7426b14b65608210b52da
  8719. SHA1: 3c12c7c17776bac73bfbe80350e1ebd41c38bf10
  8720. 3728 24417
  8721. File
  8722. Hide
  8723.  
  8724. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8725. MD5: 22af9b69d520848e1e15f1d40fb3ca2d
  8726. SHA1: 3fdd9752b83bd89d7110169c173984062eaa4530
  8727. 3728 3774
  8728. File
  8729. Open
  8730.  
  8731. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
  8732. MD5: a8e86cdbfcd7426b14b65608210b52da
  8733. SHA1: 3c12c7c17776bac73bfbe80350e1ebd41c38bf10
  8734. 3728 24417
  8735. File
  8736. Close
  8737.  
  8738. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
  8739. MD5: 69a4f8bc7570fa28679151a7635693af
  8740. SHA1: 91f2a9935d9a5e157506b6397f32096d1c4f023e
  8741. 3728 24432
  8742. File
  8743. Rename
  8744.  
  8745. Old Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
  8746. New Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\FrYj+cRG8lr9AOOxNJ2ZCD9FomiKhz+CcdywA
  8747. SwS3VU=.4F3773E1C2AF79622E62.no_more_ransom
  8748. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8749. MD5: 69a4f8bc7570fa28679151a7635693af
  8750. SHA1: 91f2a9935d9a5e157506b6397f32096d1c4f023e
  8751. 3728 24432
  8752. File
  8753. Open
  8754.  
  8755. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
  8756. 3728 2310
  8757. API Call
  8758.  
  8759. API Name: Sleep Address: 0x0040de21
  8760. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  8761. 3728
  8762. File
  8763. Open
  8764.  
  8765. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8766. MD5: 22af9b69d520848e1e15f1d40fb3ca2d
  8767. SHA1: 3fdd9752b83bd89d7110169c173984062eaa4530
  8768. 3728 3774
  8769. File
  8770. Close
  8771.  
  8772. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8773. MD5: 66b051814baf02f3fe1107c302468386
  8774. SHA1: dfe51efb6287ae42e9a4c48c3ccfee5d856c69d9
  8775. 3728 3956
  8776. File
  8777. Close
  8778.  
  8779. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
  8780. MD5: 14fc3b896b237a6f4643336504b3feb8
  8781. SHA1: 19f4a70989b22b8ac30f405a3d4466e618d2ec5f
  8782. 3728 2694
  8783. File
  8784. Hide
  8785.  
  8786. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8787. MD5: 66b051814baf02f3fe1107c302468386
  8788. SHA1: dfe51efb6287ae42e9a4c48c3ccfee5d856c69d9
  8789. 3728 3956
  8790. File
  8791. Open
  8792.  
  8793. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
  8794. MD5: 14fc3b896b237a6f4643336504b3feb8
  8795. SHA1: 19f4a70989b22b8ac30f405a3d4466e618d2ec5f
  8796. 3728 2694
  8797. File
  8798. Close
  8799.  
  8800. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
  8801. MD5: 1c47d1ef4e5878ba38147fb7c6f00518
  8802. SHA1: 7f3335ccf3f7bc10f33bd901315d5c316a8491ad
  8803. 3728 2704
  8804. File
  8805. Rename
  8806.  
  8807. Old Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
  8808. New Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\wG-GugL23H5H0mLOJZoedkauUAUKwv4PmAwhw
  8809. RSCH2E=.4F3773E1C2AF79622E62.no_more_ransom
  8810. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8811. MD5: 1c47d1ef4e5878ba38147fb7c6f00518
  8812. SHA1: 7f3335ccf3f7bc10f33bd901315d5c316a8491ad
  8813. 3728 2704
  8814. File
  8815. Open
  8816.  
  8817. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8818. MD5: 66b051814baf02f3fe1107c302468386
  8819. SHA1: dfe51efb6287ae42e9a4c48c3ccfee5d856c69d9
  8820. 3728 3956
  8821. File
  8822. Close
  8823.  
  8824. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8825. MD5: 02a3e5015b04526b2949707d9fec9600
  8826. SHA1: 6ad22bcbd9450ddea94355eb9db2b0eb9e8b3223
  8827. 3728 4148
  8828. File
  8829. Hide
  8830.  
  8831. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8832. MD5: 02a3e5015b04526b2949707d9fec9600
  8833. SHA1: 6ad22bcbd9450ddea94355eb9db2b0eb9e8b3223
  8834. 3728 4148
  8835. File
  8836. Open
  8837.  
  8838. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
  8839. 3728 1251
  8840. File
  8841. Close
  8842.  
  8843. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
  8844. MD5: 04425146afa5b88969ce9d2af0b40ea0
  8845. SHA1: d50a3cfd37df87cbdc6e5277ce5172d1769dc2aa
  8846. 3728 1635
  8847. File
  8848. Open
  8849.  
  8850. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
  8851. MD5: 04425146afa5b88969ce9d2af0b40ea0
  8852. SHA1: d50a3cfd37df87cbdc6e5277ce5172d1769dc2aa
  8853. 3728 1635
  8854. File
  8855. Close
  8856.  
  8857. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
  8858. MD5: 36f028e51b43ffde6d5ebb907ade6a9a
  8859. SHA1: 70ad07e12a7db1597a41dacef0aa7d6dde9fbed4
  8860. 3728 1648
  8861. File
  8862. Rename
  8863.  
  8864. Old Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
  8865. New Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\xd6VBgZxiTY-zi8HmV-Q3zIgSrR-pAGi5xfTE
  8866. 5WV6ag=.4F3773E1C2AF79622E62.no_more_ransom
  8867. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8868. MD5: 36f028e51b43ffde6d5ebb907ade6a9a
  8869. SHA1: 70ad07e12a7db1597a41dacef0aa7d6dde9fbed4
  8870. 3728 1648
  8871. File
  8872. Open
  8873.  
  8874. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
  8875. 3728 811
  8876. File
  8877. Close
  8878.  
  8879. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
  8880. MD5: 676c3ccde3811ffefa7a767b88ac7cdf
  8881. SHA1: e40442233a3fbe117481748e84611db4aca79d9c
  8882. 3728 1195
  8883. File
  8884. Open
  8885.  
  8886. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
  8887. MD5: 676c3ccde3811ffefa7a767b88ac7cdf
  8888. SHA1: e40442233a3fbe117481748e84611db4aca79d9c
  8889. 3728 1195
  8890. File
  8891. Open
  8892.  
  8893. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8894. MD5: 02a3e5015b04526b2949707d9fec9600
  8895. SHA1: 6ad22bcbd9450ddea94355eb9db2b0eb9e8b3223
  8896. 3728 4148
  8897. File
  8898. Close
  8899.  
  8900. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8901. MD5: 5d94f54c8b5379921c3798fa4c946408
  8902. SHA1: 10c2e5bf667c80de748d5b305d86edcc7c43d1f8
  8903. 3728 4330
  8904. File
  8905. Close
  8906.  
  8907. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
  8908. MD5: e0c3b4257b9222183a35a2fd97f3ba97
  8909. SHA1: 54653f112c12f95a8d8c98a5ea8bb6720a802fba
  8910. 3728 1200
  8911. File
  8912. Hide
  8913.  
  8914. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8915. MD5: 5d94f54c8b5379921c3798fa4c946408
  8916. SHA1: 10c2e5bf667c80de748d5b305d86edcc7c43d1f8
  8917. 3728 4330
  8918. File
  8919. Rename
  8920.  
  8921. Old Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
  8922. New Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\kLYsuU6+u2Eavb7csWANaB+1gvfw-bHy2cWlJ
  8923. oJLMGo=.4F3773E1C2AF79622E62.no_more_ransom
  8924. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8925. MD5: e0c3b4257b9222183a35a2fd97f3ba97
  8926. SHA1: 54653f112c12f95a8d8c98a5ea8bb6720a802fba
  8927. 3728 1200
  8928. File
  8929. Find
  8930.  
  8931. C:\Documents and Settings\*
  8932. 3728
  8933. File
  8934. Open
  8935.  
  8936. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8937. MD5: 5d94f54c8b5379921c3798fa4c946408
  8938. SHA1: 10c2e5bf667c80de748d5b305d86edcc7c43d1f8
  8939. 3728 4330
  8940. File
  8941. Close
  8942.  
  8943. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8944. MD5: a32308573e380f98e068df1d6d928a2d
  8945. SHA1: 957472f55e482f6679a00919ed483d1cb932c1cc
  8946. 3728 4522
  8947. File
  8948. Hide
  8949.  
  8950. C:\Documents and Settings\All Users\Application Data\System32\xfs
  8951. MD5: a32308573e380f98e068df1d6d928a2d
  8952. SHA1: 957472f55e482f6679a00919ed483d1cb932c1cc
  8953. 3728 4522
  8954. API Call
  8955.  
  8956. API Name: Sleep Address: 0x0040de21
  8957. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
  8958. 3728
  8959. File
  8960. Failed
  8961.  
  8962. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.
  8963. dat.LOG
  8964. 3728
  8965. File
  8966. Failed
  8967.  
  8968. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.
  8969. dat
  8970. 3728
  8971. Folder
  8972. Open
  8973.  
  8974. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Credentials
  8975. 3728
  8976. Folder
  8977. Open
  8978.  
  8979. C:\Documents and Settings\NetworkService\Cookies
  8980. 3728
  8981. ProcessTelemetryReport
  8982.  
  8983. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  8984. 3728
  8985. Folder
  8986. Open
  8987.  
  8988. C:\Documents and Settings\NetworkService\Application Data\Microsoft\Credentials
  8989. 3728
  8990. File
  8991. Failed
  8992.  
  8993. C:\Documents and Settings\NetworkService\ntuser.dat.LOG
  8994. 3728
  8995. File
  8996. Failed
  8997.  
  8998. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  8999. 3728
  9000. File
  9001. Failed
  9002.  
  9003. C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
  9004. 3728
  9005. File
  9006. Open
  9007.  
  9008. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9009. MSDKNS.XML
  9010. 3728 12784
  9011. File
  9012. Close
  9013.  
  9014. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9015. MSDKNS.XML
  9016. MD5: cb355036d1a682979930881289c32fe3
  9017. SHA1: 11d85afdacb0324859b463338f01672ceada2711
  9018. 3728 13168
  9019. File
  9020. Open
  9021.  
  9022. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9023. MSDKNS.XML
  9024. MD5: cb355036d1a682979930881289c32fe3
  9025. SHA1: 11d85afdacb0324859b463338f01672ceada2711
  9026. 3728 13168
  9027. File
  9028. Close
  9029.  
  9030. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9031. MSDKNS.XML
  9032. MD5: 0d1ed8a1fa5559ddd57be59ece651126
  9033. SHA1: 0744fc825b402adc87b4adca04a360321d7a3aed
  9034. 3728 13168
  9035. File
  9036. Rename
  9037.  
  9038. Old Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9039. MSDKNS.XML
  9040. New Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\c
  9041. Q7Cpemiy8aZPUh-Ujh1EAZSBuYE2UgN4a3QITfhXfQ=.4F3773E1C2AF79622E62.no_more_ransom
  9042. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  9043. MD5: 0d1ed8a1fa5559ddd57be59ece651126
  9044. SHA1: 0744fc825b402adc87b4adca04a360321d7a3aed
  9045. 3728 13168
  9046. File
  9047. Open
  9048.  
  9049. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9050. MSDKNS.DTD
  9051. 3728 498
  9052. File
  9053. Close
  9054.  
  9055. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9056. MSDKNS.DTD
  9057. MD5: 958839c0199cb4cdc04f8cbdb2657605
  9058. SHA1: d37ea728584d85e6a13472c0e9aed63e05548c6e
  9059. 3728 882
  9060. File
  9061. Open
  9062.  
  9063. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9064. MD5: a32308573e380f98e068df1d6d928a2d
  9065. SHA1: 957472f55e482f6679a00919ed483d1cb932c1cc
  9066. 3728 4522
  9067. File
  9068. Close
  9069.  
  9070. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9071. MD5: e1ec334809837b3ffe53ff91efa45c23
  9072. SHA1: e87da2cc46babc65f6590875b97b5e043ca24e06
  9073. 3728 4780
  9074. File
  9075. Open
  9076.  
  9077. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9078. MSDKNS.DTD
  9079. MD5: 958839c0199cb4cdc04f8cbdb2657605
  9080. SHA1: d37ea728584d85e6a13472c0e9aed63e05548c6e
  9081. 3728 882
  9082. File
  9083. Hide
  9084.  
  9085. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9086. MD5: e1ec334809837b3ffe53ff91efa45c23
  9087. SHA1: e87da2cc46babc65f6590875b97b5e043ca24e06
  9088. 3728 4780
  9089. File
  9090. Close
  9091.  
  9092. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9093. MSDKNS.DTD
  9094. MD5: a68a139e356e0671a99486f841f289dc
  9095. SHA1: 71685760d6c6eea8ad2937e197365e41d3d646e1
  9096. 3728 896
  9097. File
  9098. Rename
  9099.  
  9100. Old Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9101. MSDKNS.DTD
  9102. New Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
  9103. DyM51Atr6pWnJVnDfbYZF6fG2NjHMHbLmSD6aYTN5E=.4F3773E1C2AF79622E62.no_more_ransom
  9104. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  9105. MD5: a68a139e356e0671a99486f841f289dc
  9106. SHA1: 71685760d6c6eea8ad2937e197365e41d3d646e1
  9107. 3728 896
  9108. File
  9109. Failed
  9110.  
  9111. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.da
  9112. t.LOG
  9113. 3728
  9114. File
  9115. Open
  9116.  
  9117. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9118. MD5: e1ec334809837b3ffe53ff91efa45c23
  9119. SHA1: e87da2cc46babc65f6590875b97b5e043ca24e06
  9120. 3728 4780
  9121. File
  9122. Close
  9123.  
  9124. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9125. MD5: 46d84d1d775ad4b13914982c0628bbc4
  9126. SHA1: 1b9484595945b7f3a621001354e776778346f0c3
  9127. 3728 5038
  9128. File
  9129. Hide
  9130.  
  9131. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9132. MD5: 46d84d1d775ad4b13914982c0628bbc4
  9133. SHA1: 1b9484595945b7f3a621001354e776778346f0c3
  9134. 3728 5038
  9135. File
  9136. Failed
  9137.  
  9138. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.da
  9139. t
  9140. 3728
  9141. Folder
  9142. Open
  9143.  
  9144. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Credentials
  9145. 3728
  9146. File
  9147. Open
  9148.  
  9149. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
  9150. 3728 114232
  9151. File
  9152. Close
  9153.  
  9154. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
  9155. MD5: dc392415e495b0632a6c99950205c2d9
  9156. SHA1: b3bf527827c9606a06af2f56bb732615c04b91b1
  9157. 3728 114616
  9158. File
  9159. Open
  9160.  
  9161. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
  9162. MD5: dc392415e495b0632a6c99950205c2d9
  9163. SHA1: b3bf527827c9606a06af2f56bb732615c04b91b1
  9164. 3728 114616
  9165. File
  9166. Close
  9167.  
  9168. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
  9169. MD5: 1d781aef6f642af706e1756563e751b7
  9170. SHA1: 5110b96bfa44c818fd4bdd45bb2081f097657cba
  9171. 3728 114624
  9172. File
  9173. Rename
  9174.  
  9175. Old Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
  9176. New Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\XPDwOv-JkqLjD1tNCEddfi3yYhNYf
  9177. 52ZP9+NwdyrC7oHTprE48MoClk1r3He2iQ1.4F3773E1C2AF79622E62.no_more_ransom
  9178. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  9179. MD5: 1d781aef6f642af706e1756563e751b7
  9180. SHA1: 5110b96bfa44c818fd4bdd45bb2081f097657cba
  9181. 3728 114624
  9182. Folder
  9183. Open
  9184.  
  9185. C:\Documents and Settings\LocalService\Cookies
  9186. 3728
  9187. File
  9188. Failed
  9189.  
  9190. C:\Documents and Settings\LocalService\Cookies\index.dat
  9191. 3728
  9192. File
  9193. Open
  9194.  
  9195. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9196. MD5: 46d84d1d775ad4b13914982c0628bbc4
  9197. SHA1: 1b9484595945b7f3a621001354e776778346f0c3
  9198. 3728 5038
  9199. File
  9200. Close
  9201.  
  9202. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9203. MD5: bce51e878b486b4fe34a7a1c8cd25f63
  9204. SHA1: 6a10783a3621faf48ffd884be9244acef668157d
  9205. 3728 5258
  9206. File
  9207. Hide
  9208.  
  9209. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9210. MD5: bce51e878b486b4fe34a7a1c8cd25f63
  9211. SHA1: 6a10783a3621faf48ffd884be9244acef668157d
  9212. 3728 5258
  9213. Folder
  9214. Open
  9215.  
  9216. C:\Documents and Settings\LocalService\Application Data\Microsoft\Credentials
  9217. 3728
  9218. File
  9219. Failed
  9220.  
  9221. C:\Documents and Settings\LocalService\ntuser.dat.LOG
  9222. 3728
  9223. File
  9224. Open
  9225.  
  9226. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
  9227. 3728 30
  9228. File
  9229. Close
  9230.  
  9231. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
  9232. MD5: 05150055dfad0f74be78c4ee75ee4930
  9233. SHA1: 571b97adaa3eeddee8b465b2642b9c6d6dcd4870
  9234. 3728 414
  9235. File
  9236. Open
  9237.  
  9238. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
  9239. MD5: 05150055dfad0f74be78c4ee75ee4930
  9240. SHA1: 571b97adaa3eeddee8b465b2642b9c6d6dcd4870
  9241. 3728 414
  9242. File
  9243. Close
  9244.  
  9245. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
  9246. MD5: 6bd0dbdb5334d6f91c65d55969201a16
  9247. SHA1: cf49bffed65c1e363bf3bf620c1f5114a14da915
  9248. 3728 416
  9249. File
  9250. Rename
  9251.  
  9252. Old Name: C:\Documents and Settings\Default User\Templates\wordpfct.wpd
  9253. New Name: C:\Documents and Settings\Default User\Templates\8rzQr4e2qQSFw8IGMa7ggqwrM0a8mQ7PflQadi4lYVU=.4F3773
  9254. E1C2AF79622E62.no_more_ransom
  9255. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  9256. MD5: 6bd0dbdb5334d6f91c65d55969201a16
  9257. SHA1: cf49bffed65c1e363bf3bf620c1f5114a14da915
  9258. 3728 416
  9259. File
  9260. Open
  9261.  
  9262. C:\Documents and Settings\Default User\Templates\winword2.doc
  9263. 3728 1769
  9264. File
  9265. Close
  9266.  
  9267. C:\Documents and Settings\Default User\Templates\winword2.doc
  9268. MD5: 24d9d0912623cfe1eb155bfc1bb2096c
  9269. SHA1: ca0c9e56d06d745fb7e0540bdcbb358dab48d25b
  9270. 3728 2153
  9271. File
  9272. Open
  9273.  
  9274. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9275. MD5: bce51e878b486b4fe34a7a1c8cd25f63
  9276. SHA1: 6a10783a3621faf48ffd884be9244acef668157d
  9277. 3728 5258
  9278. File
  9279. Close
  9280.  
  9281. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9282. MD5: d189a2def54d1356d97f573457d73aa4
  9283. SHA1: 960ec9e071ce70826c7c2df1f58454312253ef73
  9284. 3728 5418
  9285. File
  9286. Open
  9287.  
  9288. C:\Documents and Settings\Default User\Templates\winword2.doc
  9289. MD5: 24d9d0912623cfe1eb155bfc1bb2096c
  9290. SHA1: ca0c9e56d06d745fb7e0540bdcbb358dab48d25b
  9291. 3728 2153
  9292. File
  9293. Close
  9294.  
  9295. C:\Documents and Settings\Default User\Templates\winword2.doc
  9296. MD5: 79444022092aac843f1f49ebbb35c43f
  9297. SHA1: 8185a5b6c014cf239c6c82a8dd5007d509ba7478
  9298. 3728 2160
  9299. File
  9300. Hide
  9301.  
  9302. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9303. MD5: d189a2def54d1356d97f573457d73aa4
  9304. SHA1: 960ec9e071ce70826c7c2df1f58454312253ef73
  9305. 3728 5418
  9306. File
  9307. Rename
  9308.  
  9309. Old Name: C:\Documents and Settings\Default User\Templates\winword2.doc
  9310. New Name: C:\Documents and Settings\Default User\Templates\m4z6hnNG5Jzfea7EAbC+pSDSdnLGyGsT54xgmflTJrU=.4F3773
  9311. E1C2AF79622E62.no_more_ransom
  9312. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  9313. MD5: 79444022092aac843f1f49ebbb35c43f
  9314. SHA1: 8185a5b6c014cf239c6c82a8dd5007d509ba7478
  9315. 3728 2160
  9316. File
  9317. Open
  9318.  
  9319. C:\Documents and Settings\Default User\Templates\winword.doc
  9320. 3728 4608
  9321. File
  9322. Close
  9323.  
  9324. C:\Documents and Settings\Default User\Templates\winword.doc
  9325. MD5: b190e59303e28f295598f582b337407a
  9326. SHA1: f0c06618c05075a7bc9f7860b17eae622a6468d9
  9327. 3728 4992
  9328. File
  9329. Open
  9330.  
  9331. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9332. MD5: d189a2def54d1356d97f573457d73aa4
  9333. SHA1: 960ec9e071ce70826c7c2df1f58454312253ef73
  9334. 3728 5418
  9335. File
  9336. Close
  9337.  
  9338. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9339. MD5: 8fdc5ae8022f0184b0fe281193b2a31c
  9340. SHA1: c78432ff05ab18a0e1c10ada1c66a5dd832335ef
  9341. 3728 5578
  9342. File
  9343. Open
  9344.  
  9345. C:\Documents and Settings\Default User\Templates\winword.doc
  9346. MD5: b190e59303e28f295598f582b337407a
  9347. SHA1: f0c06618c05075a7bc9f7860b17eae622a6468d9
  9348. 3728 4992
  9349. File
  9350. Close
  9351.  
  9352. C:\Documents and Settings\Default User\Templates\winword.doc
  9353. MD5: 27783ec3ba48bfc8b4c5c832b04d5e86
  9354. SHA1: 7f93bc49483263eedcaf64eb9b95d12320be71c8
  9355. 3728 4992
  9356. File
  9357. Hide
  9358.  
  9359. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9360. MD5: 8fdc5ae8022f0184b0fe281193b2a31c
  9361. SHA1: c78432ff05ab18a0e1c10ada1c66a5dd832335ef
  9362. 3728 5578
  9363. File
  9364. Rename
  9365.  
  9366. Old Name: C:\Documents and Settings\Default User\Templates\winword.doc
  9367. New Name: C:\Documents and Settings\Default User\Templates\5I7iDxM4lfcLBdNUT9HQHtchUUXvTjrecxg7Fq3aGxM=.4F3773
  9368. E1C2AF79622E62.no_more_ransom
  9369. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  9370. MD5: 27783ec3ba48bfc8b4c5c832b04d5e86
  9371. SHA1: 7f93bc49483263eedcaf64eb9b95d12320be71c8
  9372. 3728 4992
  9373. File
  9374. Open
  9375.  
  9376. C:\Documents and Settings\Default User\Templates\sndrec.wav
  9377. 3728 58
  9378. 66 Repeated items skipped
  9379. File
  9380. Close
  9381.  
  9382. C:\Documents and Settings\Default User\Cookies\index.dat
  9383. MD5: 9d9974dfca47938afbe1530c9901115d
  9384. SHA1: d25ec728e02a9a7b22b76719190f4d2b3e1bfe09
  9385. 3728 16768
  9386. Folder
  9387. Open
  9388.  
  9389. C:\Documents and Settings\Default User\Cookies
  9390. 3728
  9391. File
  9392. Rename
  9393.  
  9394. Old Name: C:\Documents and Settings\Default User\Cookies\index.dat
  9395. New Name: C:\Documents and Settings\Default User\Cookies\L9vFkdZbwYZBiCn42xwRNYmx30gqe0NXLZpl4xT5IyE=.4F3773E1
  9396. C2AF79622E62.no_more_ransom
  9397. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
  9398. MD5: 9d9974dfca47938afbe1530c9901115d
  9399. SHA1: d25ec728e02a9a7b22b76719190f4d2b3e1bfe09
  9400. 3728 16768
  9401. 34 Repeated items skipped
  9402. File
  9403. Close
  9404.  
  9405. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9406. MD5: f5da60a725287c8c41ecdf051a291833
  9407. SHA1: 22a9766f266523818cb235a64ec4eb870b631676
  9408. 3728 7856
  9409. File
  9410. Hide
  9411.  
  9412. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9413. MD5: f5da60a725287c8c41ecdf051a291833
  9414. SHA1: 22a9766f266523818cb235a64ec4eb870b631676
  9415. 3728 7856
  9416. Ransom
  9417.  
  9418. C:\Documents and Settings\All Users\Documents\ykQab\zvLmin.doc
  9419. MD5: a429f7e02827c5cb4549b687d134924b
  9420.  
  9421. Malicious Alert
  9422. Ransomware
  9423.  
  9424. Message: Ransomware Activity
  9425.  
  9426. Malicious Alert
  9427. Misc Anom
  9428.  
  9429. Message: Ransomware Activity
  9430.  
  9431. 1307 Repeated items skipped
  9432. File
  9433. Hide
  9434.  
  9435. C:\Documents and Settings\All Users\Application Data\System32\xfs
  9436. MD5: 852acadfd45e6f53dd8f79e5d685d196
  9437. SHA1: 009eaee6437acfa9658fb95ae58269834c3d92cf
  9438. 3728 66036
  9439. Regkey
  9440. Setval
  9441.  
  9442. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 290
  9443. 3728
  9444. Malicious Alert
  9445. Misc Anom
  9446.  
  9447. Message: System file created, modified, or overwritten
  9448.  
  9449. Malicious Alert
  9450. Misc Anom
  9451.  
  9452. Message: Suspicious Persistence Behavior
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement